Access control system

ABSTRACT

Provided is a method for access control, performed by an access control apparatus, including obtaining access authorization information that is communicated to the access control apparatus having at least one access authorization parameter and first check information; using at least the communicated access authorization parameters, the communicated first check information and a second key from a key pair, which second key is stored in the access control apparatus, to perform a first check on whether the communicated first check information has been produced by performing cryptographic operations by means of access authorization parameters corresponding to the communicated access authorization parameters using at least one first key from the key pair, and deciding whether access can be granted, based on the first check delivers a positive result and it is established that at least one predefined set of the communicated access authorization parameters respectively provides access authorization.

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

This patent application is a continuation of PCT/EP2014/076554, filedDec. 4, 2014, which claims priority to German Application No. 10 2013113 554.4, filed Dec. 5, 2013, and German Application No. 10 2014 105243.9, filed Apr. 11, 2014, the entire teachings and disclosure of whichare incorporated herein by reference thereto.

FIELD

Exemplary embodiments of the invention relate to an access controlsystem, the components thereof and methods performed by said components.Exemplary embodiments of the invention relate, in particular, to asystem for controlling access to parcel or goods delivery containers bydifferent persons.

BACKGROUND

Access control systems find application in many different ways, forexample for controlling access of persons to rooms of a building, as isthe case for example in hotels, office complexes or laboratories, toevents, or else in abstract form to functions, resources or services,for example computer functions or resources or server services.

A specific application of access control systems is also constituted bycontrolling access of persons to openings of containers, such as e.g.lockboxes or goods delivery containers, in particular parcel boxes.Parcel boxes enable a new form of delivery/retrieval of parcels forpersons who want to receive or send parcels even when they are away fromtheir residence, or in the vicinity of their residence. For thispurpose, parcel boxes are usually installed in front of the residence ofthe parcel box user—in a manner similar to a mailbox, but with a largercapacity—and parcels are then delivered by the deliverer by insertioninto the parcel box or are retrieved by withdrawal from the parcel box.In order to prevent misuse and theft, the parcel box must have a lock.Both the deliverer and the parcel box user must then be equipped withphysical or logical keys in order to be able to use the parcel box.

SUMMARY OF SOME EXEMPLARY EMBODIMENTS OF THE INVENTION

To date there has been no satisfactory access control system for aninstallation of a plurality of parcel boxes which makes it possible forthe boxes to operate without a network link—that is to say offline—andfor secure and flexible granting of parcel box access authorizationsboth to the deliverers and to the parcel box users nevertheless to beensured.

The present invention has therefore set itself the object of overcomingthis problem.

A first aspect of the invention discloses a method for access control,performed by an access control apparatus, the method comprising

-   -   obtaining access authorization information communicated to the        access control apparatus and comprising at least one or more        access authorization parameters and first check information,    -   first checking, using at least the communicated access        authorization parameters, the communicated first check        information and a second key of a symmetrical or asymmetrical        key pair, said second key being stored in the access control        apparatus, as to whether the communicated first check        information was generated by performing cryptographic operations        on access authorization parameters corresponding to the        communicated access authorization parameters using at least a        first key of the key pair,    -   deciding whether access is permitted to be granted, wherein        necessary conditions for granting access are that the first        checking yields a positive result and that it is determined that        at least one predefined set of the communicated access        authorization parameters, in view of respective pieces of        reference information present in the access control apparatus at        least at the time of the first checking, respectively authorize        for access.

The first aspect of the invention further discloses the use of an accessauthorization proving apparatus for communicating access authorizationinformation to the access control apparatus in accordance with the firstaspect of the invention.

A second aspect of the invention discloses a method for generatingaccess authorization information, in particular performed by an accessauthorization generation apparatus, the method comprising

-   -   generating first check information by performing cryptographic        operations on one or more access authorization parameters using        at least a first key of a symmetrical or asymmetrical key pair,    -   generating access authorization information comprising at least        the one or the plurality of access authorization parameters and        the first check information, and    -   outputting the access authorization information for storage on        an access authorization proving apparatus configured to        communicate the access authorization information to at least one        access control apparatus in order to enable the latter to decide        whether access is permitted to be granted on the basis of the        communicated access authorization information, wherein necessary        conditions for granting access are that a first checking, using        at least the communicated access authorization parameters, the        communicated first check information and a second key of the key        pair, said second key being stored in the access control        apparatus, whether the communicated first check information was        generated by performing cryptographic operations on access        authorization parameters corresponding to the communicated        access authorization parameters using at least the first key of        the key pair, yields a positive result and it is determined that        at least one predefined set of the communicated access        authorization parameters, in view of respective pieces of        reference information present in the access control apparatus at        least at the time of the first checking, respectively authorize        for access.

A third aspect of the invention discloses a method for proving an accessauthorization, performed by an access authorization proving apparatus,the method comprising:

-   -   communicating access authorization information comprising at        least one or more access authorization parameters and first        check information to an access control apparatus in order to        enable the latter to decide whether access is permitted to be        granted on the basis of the communicated access authorization        information, wherein necessary conditions for granting access        are that a first checking, using at least the communicated        access authorization parameters, the communicated first check        information and a second key of a symmetrical or asymmetrical        key pair, said second key being stored in the access control        apparatus, whether the communicated first check information was        generated by performing cryptographic operations on access        authorization parameters corresponding to the communicated        access authorization parameters using at least a first key of        the key pair, yields a positive result and it is determined that        at least one predefined set of the communicated access        authorization parameters, in view of respective pieces of        reference information present in the access control apparatus at        least at the time of the first checking, respectively authorize        for access.

Each of these aspects of the invention further discloses in each case:

-   -   a computer program, comprising program instructions that cause a        processor to perform and/or control the method in accordance        with the respective aspect of the invention when the computer        program runs on the processor. In this specification, a        processor should be understood to mean, inter alia, control        units, microprocessors, microcontrol units such as        microcontrollers, digital signal processors (DSP),        application-specific integrated circuits (ASICs) or Field        Programmable Gate Arrays (FPGAs). Here either all the steps of        the method can be controlled, or all the steps of the method can        be performed, or one or more steps can be controlled and one or        more steps can be performed. The computer program can be        distributable for example via a network such as the Internet, a        telephone or mobile radio network and/or a local network. The        computer program can be at least partly software and/or firmware        of a processor. It can equally be implemented at least partly as        hardware. The computer program can be stored for example on a        computer-readable storage medium, e.g. a magnetic, electrical,        electromagnetic, optical and/or other type of storage medium.        The storage medium can be for example part of the processor, for        example a (nonvolatile or volatile) program memory of the        processor or a part thereof    -   An apparatus, configured to perform and/or control the method in        accordance with the respective aspect of the invention or        comprising respective means for performing the steps of the        method in accordance with the respective aspect of the        invention. Here either all of the steps of the method can be        controlled, or all the steps of the method can be performed, or        one or more steps can be controlled and one or more steps can be        performed. One or more of the means can also be implemented        and/or controlled by the same unit. By way of example, one or        more of the means can be formed by one or more processors.    -   An apparatus comprising at least one processor and at least one        memory that includes program code, wherein the memory and the        program code are configured to cause the apparatus having the at        least one processor to perform and/or control at least the        method in accordance with the respective aspect of the        invention. Here either all the steps of the method can be        controlled, or all the steps of the method can be performed, or        one or more steps can be controlled and one or more steps can be        performed.

A fourth aspect of the invention discloses a system, comprising:

-   -   an access control apparatus in accordance with the first aspect        of the invention,    -   an access authorization generation apparatus, in particular in        accordance with the second aspect of the invention, and    -   an access authorization proving apparatus, in particular in        accordance with the third aspect of the invention, wherein the        access authorization information is generated by the access        authorization generation apparatus and is communicated to the        access control apparatus by the access authorization proving        apparatus.

These four aspects of the present invention have inter alia the—in partexemplary—properties described below.

Access control is performed at an access control apparatus; by way ofexample, access to rooms of buildings (e.g. hotels, office complexes,laboratories) or apparatuses, to events (e.g. concerts, sportingevents), to functions (for example of a computer, e.g. via a login), toresources or to services (for example to a service provided by a server,e.g. online banking, social networks, email accounts) is controlled.Examples of access to areas of apparatuses are access to receptacleareas of receptacle apparatuses, such as e.g. lockboxes, lockers,refrigerators, goods delivery containers, mailboxes, parcel boxes orcombined mail and parcel boxes, which for example are in each caseclosed with doors and secured by locking devices.

The access control apparatus can be for example one or more processorsthat control one or more locking devices, for example an electronicallycontrollable lock, and can thus bring about opening and/or closing ofthe lock, for example. The lock can be equipped with a latch function,for example, such that the access control apparatus has to control forexample only an opening of the lock (for example by means of at leasttemporarily transferring the latch to an open position, for example bymeans of an electric motor), while the lock is closed manually by a userby a procedure in which said user uses the latch function and, forexample, by pressing a door shut, displaces the latch from the shutposition to the open position and, after the process of pressing shuthas ended, the latch automatically returns to the shut position again,for example by means of spring preloading.

The access control apparatus can also comprise the locking devices andfurther components. The access control apparatus can be part of anapparatus for which it provides access control, for example of areceptacle apparatus. The access control apparatus can bebattery-operated, for example, and have no, more particularlycontinuous, power connection, for example. The access control apparatuscan be configured for example in such a way that in operation it isconfigured exclusively for communication with access authorizationproving apparatuses, and for example is not configured for communicationwith the access authorization generation apparatus. The access controlapparatus has for example no connection to a mobile radio network, alocal area network (LAN), a wireless local area network (WLAN) or theInternet, that is to say that it thus constitutes for example an“offline” access control apparatus. The wireless communication of theaccess control apparatus can be configured for example for communicationwith apparatuses in relatively close proximity to the access controlapparatus (for example less than 100 m). The wireless communication ofthe access control apparatus can be limited for example to communicationby means of Radio Frequency Identification (RFID) and/or Near FieldCommunication (NFC) and/or Bluetooth (e.g. Bluetooth Version 2.1 and/or4.0). RFID and NFC are specified for example in accordance with ISOstandards 18000, 11784/11785 and ISO/IEC standard 14443-A and 15693. TheBluetooth specifications are available at www[dot]Bluetooth[dot]org.Nevertheless, the access control apparatus can have for example aUniversal Serial Bus (USB) interface, via which the access controlapparatus can be maintained, for example.

The access control can consist for example in taking a decision, on thebasis of access authorization information presented, as to whetheraccess is permitted to be granted. If it is decided that access ispermitted to be granted, for example access is granted, for example by acontrol signal being transmitted, for example to a lock, in order forexample to unlock and/or open a door to one or more areas (e.g.receptacle areas of a receptacle apparatus) in order to enable access tothe one or the plurality of areas. Access can be granted to differentextents; by way of example, if a plurality of receptacle areas arepresent, only access to specific receptacle areas or groups ofreceptacle areas can be granted. The extent of the access can be definedfor example in an access authorization parameter of the accessauthorization information.

At the access control apparatus, access authorization information isobtained that was communicated to the access control apparatus, inparticular from an access authorization proving apparatus on which theaccess authorization information is stored at least temporarily. Theaccess authorization information can be communicated to the accesscontrol apparatus for example by means of wireless communication, forexample by communication by means of RFID, NFC or Bluetooth.

The access authorization proving apparatus can be for example a portableelectronic device. The device is assigned for example to a user (e.g. auser registered vis-à-vis the access control apparatus) who would liketo obtain access with the access authorization information at the accesscontrol apparatus, and said device is therefore referred to hereinafteras “user device”. The user device has for example a graphical userinterface and/or a dedicated power supply. The user device is forexample a cellular phone, a personal digital assistant (PDA), a mediaplayer (e.g. an iPod), or a navigation device. If the access controlapparatus is assigned to a parcel box, the user device can belong forexample to a parcel box user, that is to say for example an owner of theparcel box, or a person who, via the parcel box, is permitted to receiveparcels or to insert them for storage by a deliverer. A deliverer inthis sense is not understood as a user. The user device is configuredfor wireless communication with the access control apparatus, forexample via Bluetooth and/or RFID and/or NFC. The device has thecapability, for example, of communicating via a cellular mobile radionetwork (e.g. a mobile radio network based on the Global System forMobile Communication (GSM), the Universal Mobile TelecommunicationsSystem (UMTS) and/or the Long Term Evolution (LTE) System).

Alternatively, the access authorization proving apparatus can be forexample a portable electronic device of a deliverer, particularly if theaccess control apparatus is assigned to a parcel box. This device isreferred to hereinafter as “deliverer device”. The deliverer device hasfor example a graphical user interface and a functionality forwirelessly detecting information of parcels, for example by opticallyscanning parcel labels and/or detecting information of parcels via radio(e.g. RFID) or magnetic fields (e.g. NFC), for example if the parcel hasan RFID tag or NFC tag. The deliverer device can have for example thecapability of communicating via a cellular mobile radio network, butthis can also not be the case. The deliverer device can have for examplethe capability of communicating via WLAN and/or via a cellular mobileradio system (in particular via GRPS). The deliverer device can have forexample the capability of communicating via Bluetooth and/or NFC, forexample also by means of corresponding retrofitting. One example of adeliverer device is a handheld scanner, e.g. LXE Tecton MX7 fromHoneywell.

If the access authorization proving apparatus (in particular the userdevice and/or the deliverer device) communicates access authorizationinformation to the access control apparatus by means of Bluetooth, it isadvantageous for the medium access control (MAC) address of the accesscontrol apparatus to be known to the access authorization provingapparatus, since the Bluetooth communication can then be started withoutthe need for time-consuming Bluetooth pairing. The MAC address of theaccess control apparatus is communicated to the access authorizationproving apparatus for example together with the access authorizationinformation.

Alternatively, the access authorization proving apparatus can be forexample a portable electronic unit for wireless communication with theaccess control apparatus. This portable electronic unit is referred tohereinafter as “tag”. The tag can have for example no capability forcommunication by means of cellular mobile radio and/or no capability forcommunication by means of WLAN and/or no capability for communication bymeans of Bluetooth. The tag can have for example no graphical userinterface and/or no dedicated power supply. The tag can communicate forexample only in the presence of an (e.g. electromagnetic or magnetic)reading field of a reader. The tag can be for example an RFID or NFC tag(e.g. an MiFARE tag from NXP). The tag can have different form factors,for example. It can be embodied for example as a key fob or as a card(e.g. approximately having the form factor of a credit card). The tagcan have for example small dimensions (e.g. less than in each case 9 cmor 5 cm height/length/width) and low weight (e.g. less than 50 g). Theinformation (e.g. the access authorization information) stored on thetag can be communicated for example to a corresponding reader, forexample also only after successful authentication of the readervis-à-vis the tag. The reader can for example be part of the accesscontrol apparatus or be operatively connected thereto. The tags canoperate for example at 120-135 kHz, 13.56 MHz or 865-869 MHz, but other,in particular higher, frequencies are also possible. The informationtransmission can be based for example on capacitive coupling, inductivecoupling or on electromagnetic waves (backscatter method). The tag cancomprise for example an antenna, an analog circuit for transmitting andreceiving (also referred to as a transceiver), a digital circuit (e.g. amicrocontroller) and a memory (for example an EEPROM—ElectricallyErasable Programmable Read-Only Memory). The access authorizationinformation can be modulated for example onto a high-frequency signalgenerated by a reading unit, for example in the form of a loadmodulation. The reading unit can then obtain the authorizationinformation from the tag as a result.

The access authorization information is generated on the accessauthorization generation apparatus, which can be embodied for example asone or more servers. It is then output for storage on an accessauthorization proving apparatus. This can be done, for example, by theaccess authorization information being transmitted via a communicationconnection between the access authorization generation apparatus and theaccess authorization proving apparatus to the access authorizationproving apparatus and being stored there, particularly if the accessauthorization proving apparatus is a user device (e.g. a cellular phone,as described above). By way of example, on the access authorizationproving apparatus there is then present a functionality, for example asan application (“app”), which can be downloaded from an onlinemarketplace, for example, and which serves inter alia for retrievingaccess authorization information. The access authorization informationcan be transmitted from the access authorization generation apparatus tothe access authorization proving apparatus for example whenever thevalidity of the access authorization proving apparatus has elapsed, forexample on a yearly or half-yearly cycle. For this purpose, the accessauthorization information can be actively pushed (that is to saytransmitted without enquiry by the access authorization provingapparatus) for example from the access authorization generationapparatus to the access authorization proving apparatus, or can betransmitted to the access authorization proving apparatus only uponenquiry by the access authorization proving apparatus (or some otherentity) (and can for example also only be generated in response to theenquiry). The communication connection between the access authorizationgeneration apparatus and the access authorization proving apparatus canbe based on one or more communication networks, at least one of whichfor example is a mobile radio network or a WLAN network. If the accessauthorization proving apparatus is a user device (e.g. a cellularphone), for example, the access authorization information can beobtained from the access authorization generation apparatus for examplevia a Hypertext Transfer Protocol (HTTP)- or Hyper Text TransportProtocol Secure (HTTPS) connection based for example on a General PacketRadio (GPRS) connection.

If the access authorization proving apparatus is a deliverer device(e.g. a handheld scanner of a deliverer), for example, the accessauthorization information can be transmitted for example via theInternet to a computer (e.g. a computer in a delivery base with whichthe deliverer device is associated at least at times) and, under thecontrol thereof, can then be transmitted to the deliverer device forexample in a wired manner (e.g. by means of a docking station) orwirelessly (e.g. by WLAN). This can take place anew every day, forexample.

If the access authorization proving apparatus is for example a tag (e.g.an RFID or NFC tag, as described above), the access authorizationgeneration apparatus outputs the access authorization information to thetag for storage for example by the access authorization informationbeing transmitted to a writing unit (for example via the Internet),which then writes the access authorization information to the tag. Byway of example, the access authorization information is transmitted to acomputer of a supplier or manufacturer of tags, which then performs thewriting of the access authorization information to the tags. This isdone for example before the tags are issued to the persons who areintended to use the access authorization information for accessauthorization proving (e.g. user and/or deliverer). The validity of theaccess authorization information stored on tags, on account of thehigher outlay for replacing the access authorization information in thetags in comparison with the user devices and/or deliverer devices, canbe longer than the validity of the access authorization informationstored on the user devices and/or deliverer devices.

The access authorization information contains one or more accessauthorization parameters. This can involve for example a (moreparticularly unique) identifier for the access control apparatus, a(more particularly unique) identifier for the access authorizationinformation itself, temporal validity information (e.g. in the form of a“not before date”, a “not after date”, a “start time of day” and an “endtime of day”, which specify within which days and within which time ofday access is permitted to be granted, for example from Mar. 27, 201400:00:00 hours to Mar. 28, 2014 23:59:59 hours), an upper limit of theallowed uses of the access authorization information in order to obtainaccess, and information as to what extent access is permitted to begranted (that is to say for example whether all the doors of a parcelbox are permitted to be opened, or only one door or a specific groupthereof). The one or the plurality of access authorization parametersare also referred to jointly as access authorization in thisspecification.

At least one predefined set (e.g. all, or only some) of the accessauthorization parameters are checked with regard to respective referenceinformation to determine whether they authorize for access in each case.By way of example, the identifier for the access control apparatus asaccess authorization parameter can be checked vis-à-vis an identifier ofthe access control apparatus that is stored in the access controlapparatus, and in the event of correspondence it can be determined thatthis access authorization parameter authorizes for access. The temporalvalidity information as access authorization parameter can be checkedfor example vis-à-vis temporal information (e.g. date and time of day)obtained from a clock of the access control apparatus, for example insuch a way that a time period defined by the validity information mustcontain the current point in time according to the clock of the accesscontrol apparatus in order that access can be granted. A predefinedtemporal tolerance can be permissible here in order to compensate forpossible time differences between the clock of the access controlapparatus and a clock in the access authorization generation apparatus.A communicated upper limit of the allowed uses can be correspondinglychecked against a counter that is stored in the access control apparatusand that is incremented by 1 each time this access authorizationinformation is used for obtaining access at the access controlapparatus. The comparison of the communicated upper limit with thecounter as reference information reveals that access is permitted to begranted if the counter is less than the communicated upper limit.

While for example the identifier of the access control apparatus and thetemporal information obtained from the clock are continuously present inthe access control apparatus, there can be one or more accessauthorization parameters which must be checked vis-à-vis referenceinformation and which are not present continuously in the access controlapparatus, but rather for example only in the first checking or shortlybefore the first checking. This may be the case for example for theidentifier of the access authorization information or of the accessauthorization proving apparatus as access authorization parameter ifthis identifier, for example in encrypted form (or alternatively incombination with a fourth key), is obtained at the access controlapparatus only together with the access authorization information orbefore or after the access authorization information (but in the samecommunication session, for example). Here, too, granting accessnecessitates that the identifier of the access authorization informationthat is communicated as access authorization parameter corresponds tothe identifier of the access authorization information that is obtainedby decryption from the identifier obtained in encrypted fashion. In asimilar manner, the identifier of the access authorization informationor of the access authorization proving apparatus can also be checkedvis-à-vis a rejection list as an example of reference information. Saidrejection list may for example not already be stored on the accesscontrol apparatus initially, but rather only after a portion of theoperating duration of the access control apparatus has elapsed. The casemay occur, for example, that the rejection list is obtained at theaccess control apparatus in the same communication session in which theaccess authorization information is also transmitted to the accesscontrol apparatus, for example temporally before the accessauthorization information.

An access authorization parameter that is not checked against referenceinformation is, for example, the information regarding the extent towhich access is intended to be granted. This information is taken intoaccount for example when granting access, but for example not whenchecking whether access is intended to be granted. By way of example,the information regarding the extent to which access is intended to begranted can specify which door or which group of doors from a pluralityof doors of a building or of an apparatus is intended to be opened if itwas decided that access is permitted to be granted. If the apparatus isa parcel box having a door for a parcel compartment and a door for aletter compartment, the information can specify for example whether onlythe parcel compartment is intended to be opened (for example for adeliverer) or both the parcel compartment and the letter compartment areintended to be opened (for example for a user of the parcel box).

However, before the individual access authorization parameters arechecked vis-à-vis their respective reference information in the accesscontrol apparatus, the first checking must yield a positive result. Thefirst checking analyzes the first check information contained in theaccess authorization information in order to determine the integrity(intactness or freedom from manipulation) and authenticity (genuinenessor origin of the supposed source) of the access authorizationinformation, as will be explained in even greater detail below. Theauthenticity of the access authorization information is primarilydetermined by virtue of the fact that the station that issues the accessauthorization information, that is to say the access authorizationgeneration apparatus, in the cryptographic operations, used the firstkey of a key pair kept secret between the access control apparatus andthe access authorization generation apparatus, which can be checked bythe access control apparatus on the basis of the second key of said keypair, the first check information and the communicated accessauthorization parameters. In the course of this check, the integrity ofthe communicated access authorization parameters is also confirmed. Inthis case, none of the keys of the key pair is known for example outsidethe access control apparatus and the access authorization generationapparatus; in particular, these keys are not known even by the accessauthorization proving apparatus or the users thereof. The key pair canbe a symmetrical key pair, for example, which means that the first keyand the second key are identical. Encryption and decryption using suchsymmetrical keys can be performed for example according to the methodsof Advanced Encryption Standard (AES), DES (Data Encryption Standard),Data Encryption Algorithm (DEA), Triple-DES, IDEA (International DataEncryption Algorithm) or Blowfish, to give just a few examples.Symmetrical keys can be chosen pseudo-randomly, for example. In the caseof an asymmetrical key pair, by contrast, both keys are different, e.g.in the case of an asymmetrical key pair according to the RSA (Rivest,Shamir, Adleman) method or according to the method according toMcEliece, Rabin, Chor-Rivest or Elgamal. Methods for generatingsymmetrical and asymmetrical keys for generating digital signatures,message authentication codes (MACs) and for encryption and decryptionare specified in the publication “Special Publication 800-133Recommendation for Cryptographic Key Generation” by the NationalInstitute of Standards and Technology (NIST) at the US Department ofCommerce.

Access is thus granted if the first checking had a positive outcome,that is to say that in particular the integrity and authenticity of theaccess authorization information were confirmed, and it was alsodetermined for at least a specific set of the access authorizationparameters that these authorize for access vis-à-vis their respectivereference information in the access control apparatus. If it is decidedthat access is permitted to be granted, for example a correspondingcontrol signal is output, for example to a lock. Otherwise, for examplean e.g. optical or acoustic alarm or a warning is output.

The access control system embodied in accordance with the first to thefourth aspects of the invention has a number of advantages. By virtue ofthe fact that the access control apparatus and the access authorizationgeneration apparatus treat the key pair as a secret, firstly the accessauthorization generation apparatus is enabled exclusively itself tocreate access authorization information for the access controlapparatus. The access control apparatus, secondly, can trust the accessauthorization information generated by the access authorizationgeneration apparatus. Therefore, the access authorization parameters canalso be communicated to the access control apparatus without encryption,in principle: using the second key of the key pair, their integrity andthe authenticity of the access authorization information can beconfirmed sufficiently. Since the access control apparatus uses, forchecking the communicated access authorization parameters, eitherreference information that is invariable over the long term, such as theidentifier of the access control apparatus, or self-manageable referenceinformation such as e.g. the temporal information derived from the localclock of the access control apparatus or the counter for the grantedaccesses already effected with specific access authorizationinformation, the access control apparatus is substantially autonomousand manages without a network link. This also reduces the powerconsumption, which is likewise pertinent in the case of abattery-operated apparatus. Further, in the access control apparatus thecryptographic operations are performed on the communicated accessauthorization parameters, rather than on access authorization parameterspresent locally. This makes it possible, in particular, to separate thecheck of the integrity of the obtained information from the check of thecontent thereof. If, for example, as an alternative, the “expected”first check information were calculated in the access control apparatusand then compared with the communicated first check information, theexpected first check information would have to be formed and comparedwith the communicated first check information for a plurality of pointsin time depending on the granularity of the temporal validity used asaccess authorization parameter (e.g. 1 minute, 10 minutes, 1 hour), inorder to “hit” the communicated check information exactly with at leastone expected first check information piece. Instead, in the presentaccess control system, the integrity of the communicated temporalvalidity is determined and this temporal validity is compared with thetemporal information in the access control apparatus in order todetermine significantly more simply and more rapidly whether thedifference is still within a predefined tolerance.

Further advantages of the access control system disclosed are describedbelow on the basis of exemplary embodiments, the disclosure of which isintended to apply equally to all four aspects of the invention and allthe respective categories (method, apparatus/system, computer program).

In one exemplary embodiment of all the aspects of the invention, the keypair is an asymmetrical key pair, and the first checking compriseschecking the communicated first check information as a digital signatureby means of the access authorization parameters using at least thesecond key of the key pair and the communicated access authorizationparameters. The first and second keys of the asymmetrical key pair arethen different. By way of example, the first key is a private key andthe second key is a public key, or vice versa. The key pair may havebeen generated according to the RSA algorithm, for example. The digitalsignature is formed (in particular in the access authorizationgeneration apparatus) for example by a Hash value being formed by meansof the access authorization parameters, for example according to analgorithm from the Secure Hash Algorithm (SHA) family, such as arespecified by the National Institute of Standards and Technology (NIST),for example an SHA-1, SHA-224 or SHA-256, to give just a few examples.The Hash value is then encrypted using the first key, for example, inorder to obtain the first check information. Alternatively, the accessauthorization parameters can also be encrypted without the formation ofa Hash value. For checking the signature, the first check information isdecrypted using the second key and the Hash value obtained as a resultis compared with a Hash value formed locally by means of thecommunicated access authorization parameters according to the samealgorithm. In the event of correspondence of the Hash values, theauthenticity of the access authorization information and the integrityof the access authorization parameters can be assumed. If no Hash valueformation takes place, the access authorization parameters obtained bydecryption are compared directly with the communicated accessauthorization parameters.

In one exemplary embodiment of all the aspects of the invention, the keypair is a symmetrical key pair, and the first checking comprisesperforming the cryptographic operations on the communicated accessauthorization parameters using at least the second key of the key pairfor obtaining locally generated first check information and comparingthe communicated first check information with the locally generatedfirst check information. The symmetrical key pair then comprises thesame key twice, for example an AES key, e.g. an AES-128 key. As in thecase of an asymmetrical key pair, the first check information can begenerated by encryption of the access authorization parameters or of aHash value thereof using the first key (in particular in the accessauthorization generation apparatus). The check is then performed bydecrypting the communicated first check information using the second key(identical to the first key) and comparing the result with either theaccess authorization parameters or a Hash value of the accessauthorization parameters generated locally according to the samealgorithm. In the event of correspondence, the authenticity of theaccess authorization information and the integrity of the accessauthorization parameters are assumed. In encryption/decryption it ispossible to use for example a block cipher, for example with anElectronic Code Book (ECB), a Cipher Block Chaining (CBC), a CipherFeedback (CFB), an Output Feedback or a Counter operating mode, such asare known to the person skilled in the art, in order to enable theencryption/decryption of information that is longer than the block ofthe block cipher. Depending on the operating mode (e.g. in the CPC orCFM operating mode) an initialization vector (IV) may be required herein addition to the keys in encrytion/decryption. Said initializationvector may either be fixedly agreed (and then be stored for example inthe access control apparatus) or communicated to the access controlapparatus for each access authorization information piece. Instead ofencrypting/decrypting the access authorization parameters or the Hashvalue thereof in order to obtain the first check information, it is alsopossible to use a message authentication code (MAC) for generating thefirst check information, which code is formed by means of the accessauthorization parameters and likewise takes account of the first key.Examples of MACs are the Message Authentication Algorithm (MAA), theKeyed-Hash Message Authentication Code (HMAC) or the Cipher-BasedMessage Authentication Code (CMAC) specified by the NIST. In the case ofan MAC, for example in a combined process, a type of Hash value iscreated by means of the access authorization parameters and the firstkey is concomitantly taken into account here. The result forms the firstcheck information. For checking the first check information, at theaccess control apparatus, by means of the communicated accessauthorization parameters using the second key (identical to the firstkey), the MAC is formed according to the identical specification and theresult, the locally generated first check information, is compared withthe communicated first check information. In the event ofcorrespondence, the authenticity of the access authorization informationand the integrity of the access authorization parameters are proved.

In one exemplary embodiment of all the aspects of the invention, theaccess control apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored only on the accesscontrol apparatus, but on none of the other access control apparatusesof the plurality of access control apparatuses, and wherein the secondkey of the key pair that is used in the first checking is the second keyof the individual key pair. Accordingly, therefore, the first key of theindividual key pair is then also used when generating the first checkinformation (in particular at the access authorization generationapparatus). The access authorization information generated for aspecific access control apparatus is thus unique and usable only for oneaccess control apparatus, but not for any other access controlapparatuses. In the event of the loss of an access authorization provingapparatus having such stored access authorization information,therefore, misuse is only possible with one access control apparatus,and not with a plurality of access control apparatuses.

In one exemplary embodiment of all the aspects of the invention, theaccess control apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored only on the accesscontrol apparatus, but on none of the other access control apparatusesof the plurality of access control apparatuses, wherein a second key ofa symmetrical or asymmetrical group key pair is further stored in theaccess control apparatus, said second key being different than thesecond key of the individual key pair and being stored in all the accesscontrol apparatuses of a group of access control apparatuses from theplurality of access control apparatuses that comprises the accesscontrol apparatus, and wherein the second key of the key pair that isused in the first checking is either the second key of the individualkey pair or the second key of the group key pair. Accordingly,therefore, the first key of the individual key pair or the first key ofthe group key pair is then also used when generating the first checkinformation (in particular at the access authorization generationapparatus). In this case, the access authorization information generatedfor a specific access control apparatus using the first key of theindividual key pair is unique and usable only for one access controlapparatus, but not for any other access control apparatuses. In theevent of the loss of an access authorization proving apparatus havingsuch stored access authorization information, therefore, misuse is onlypossible with one access control apparatus, and not with a plurality ofaccess control apparatuses. Further, however, the group key pair makesit possible to generate access authorization information that can beused for proving the authorization at a plurality of access controlapparatuses. This is advantageous, for example, if service staff in ahotel are intended to obtain access to a plurality of rooms providedwith respective access control apparatuses or deliverers of parcels areintended to obtain access to a plurality of parcel boxes provided withrespective access control apparatuses, e.g. in a delivery area. Suchaccess authorization information generated using a first key of thegroup key pair can be stored for example on a tag (e.g. an RFID or NFCtag). Since such tags may possibly have a comparatively long period ofvalidity (e.g. several months) and if lost, could be used for improperlyobtaining access at numerous access control apparatuses, it isadvantageous for such tags or the access authorization informationsituated thereon to be provided with a unique identifier that can belocked for example by a rejection list stored in the access controlapparatus, as will be explained in greater detail below.

At least one second key of a symmetrical or asymmetrical further groupkey pair can further be stored in the access control apparatus, said atleast one second key being different than the second key of theindividual key pair and the second key of the group key pair and beingstored in all the access control apparatuses of a further group ofaccess control apparatuses from the plurality of access controlapparatuses that comprises the access control apparatus, said furthergroup including, however, at least one or more other access controlapparatuses in comparison with the group of access control apparatuses,and wherein the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair, the secondkey of the group key pair or the second key of the further group keypair. Therefore, the access control apparatus then has for example thesecond keys of the individual key pair and of two group key pairs. Thisis particularly advantageous if the access control apparatus islogically assigned to two at least partly different groups of accesscontrol apparatuses. If the access control apparatus is assigned to aparcel box, for example, when delivery areas are defined dynamically forexample it can happen that the same parcel box is assigned to a firstdelivery area on one day and to a second delivery area on another day.Further or alternatively, it can happen that delivery areas overlap onthe same day, for example because the first delivery area is assigned toa parcel deliverer and the second delivery area is assigned to acombination deliverer (who delivers parcels and letters) or letterdeliverer. In order that the parcel box can nevertheless be opened bothby the deliverer for the first delivery area and the deliverer for thesecond delivery area, it is advantageous to store the respective secondkeys of second group key pairs on the access control apparatus. Theaccess authorization information of the deliverer for the first deliveryarea (in particular its first check information) is then based on thefirst key of a first group key pair, and the access authorizationinformation of the deliverer for the second delivery area (in particularits first check information) is then based on the first key of a secondgroup key pair. These access authorization information pieces can thenbe stored for example on respective tags for the respective deliveryareas (a first tag for the first delivery area and a second tag for thesecond delivery area).

By way of example, is it possible that provision is not made forchanging the second key of the individual key pair in the access controlapparatus, for erasing said second key or for exchanging it for anotherkey, but wherein it can be provided that the second key of the group keypair can be changed or erased or exchanged for another key. The secondkey of the individual key pair can thus form a fixed component, inparticular, which is not changed during the period of use of the accesscontrol apparatus. In particular, the second key of the individual keypair can be used also to check, with regard to authenticity andintegrity, information (for example group key information or rejectioninformation) that is different than the access authorization informationand, in particular, is generated by the access authorization generationapparatus using the first key of the individual key pair, as will beexplained in even greater detail below. By contrast, the second keys ofthe group key pairs can be changed, erased or exchanged, which isrelevant, for example, if a parcel box has to be moved to a differentdelivery area on account of its owner moving home. The way in which thisis done is explained below.

In one exemplary embodiment of all the aspects of the invention, at theaccess control apparatus, group key information communicated to theaccess control apparatus and comprising at least one secondkey—encrypted with the first key of the individual key pair—of a newsymmetrical or asymmetrical group key pair for the same or an at leastpartly different group of access control apparatuses from the pluralityof access control apparatuses, the communicated encrypted second key ofthe new group key pair is decrypted with the second key of theindividual key pair, and the second key of the new group key pairobtained by the decrypting is stored in the access control apparatus,such that the second key of the key pair used in the first checking isat least either the second key of the individual key pair or the secondkey of the new group key pair. The group key information can inparticular be generated at the access authorization generation apparatusand be communicated to the access control apparatus by means of theaccess authorization proving apparatus, for example in the context ofthe same communication session in which the access authorizationinformation is also communicated to the access control apparatus, buttemporally before the access authorization information, such that thesecond key of the new group key pair can already be taken into accountwhen checking the access authorization information, if necessary. Inthis case, the second key of the group key pair already present can beeither erased or maintained. By way of example, the group keyinformation can contain a list of one or more encrypted second keys ofrespective one or more new group key pairs, which replaces all thesecond keys of respective group key pairs already present in the accesscontrol apparatus. The individual key pair here again serves as a basisof trust between the access control apparatus and the accessauthorization generation apparatus, but does not allow a check of theauthenticity or integrity since the second keys of the respective one orthe plurality of group key pairs are not further transmitted withoutencryption. However, the encryption ensures that no one apart from theaccess authorization generation apparatus and the access controlapparatus can read the second keys of the respective one or theplurality of new group key pairs in plain text, in particular not theaccess authorization proving apparatus. In the case where the individualkey pair is a symmetrical key pair, for example a symmetrical AESencryption takes place in the CBC operating mode. An initializationvector for the CBC mode can be communicated for example together withthe group key information, e.g. as part thereof, to the access controlapparatus in order to be used there in the decryption.

In order to enable a check of the authenticity and integrity of thecommunicated group key information, the following can be performed, forexample. Second check information communicated to the access controlapparatus is obtained, and the second key of the new group key pairobtained by the decrypting is stored in the access control apparatusonly under the precondition that, in the case of a check based at leaston the communicated second check information, the second key of theindividual key pair and the communicated group key information, it isdetermined that the communicated second check information was generatedby cryptographic operations being performed on the group key informationcorresponding to the communicated group key information using at leastthe first key of the individual key pair. The second check informationcan be calculated and checked for example in a manner analogous to thatas already described above on the basis of the first check information,wherein the cryptographic operations are performed on the group keyinformation instead of the access authorization parameters. Thus, forexample, digital signatures or MACs can again be used as second checkinformation. The second check information is generated in particular atthe access authorization generation apparatus, and then communicated tothe access control apparatus by the access authorization provingapparatus.

The group key information can further comprise a counter(update_counter) that is incremented with each new group key pair,wherein the second key of the new group key pair that is obtained by thedecrypting is stored in the access control apparatus only under thefurther precondition that a value of a counter (update_counter)comprised by the group key information is greater than a value of acounter provided in the access control apparatus, and wherein, in orafter the storage of the second key of the new group key pair in theaccess control apparatus, the value of the counter in the access controlapparatus is updated to the value of the counter (update_counter)comprised by the group key information. The counter comprised by thegroup key information is then for example a copy of a counter that isincremented in the access authorization generation apparatus upon eachnew generation of group key information (that is to say e.g. each timeone or more second keys of respective one or more new group keys areintended to be brought to the access control apparatus).

The group key information can for example further comprise an individualidentifier of the access control apparatus, and the second key of thenew group key pair that is obtained by the decrypting can, for example,be stored in the access control apparatus only under the furtherprecondition that an individual identifier of the access controlapparatus that is stored in the access control apparatus corresponds tothe individual identifier comprised in the group key information. Thegroup key information is thus uniquely assigned to only one accesscontrol apparatus. Since the second check information is formed by meansof the group key information, the integrity of the individual identifierin the group key information is further ensured.

The group key information can for example further comprise a groupidentifier associated with the new group key pair, said group identifierbeing common to all the access control apparatuses of the group ofaccess control apparatuses for which the new group key pair is intended,and the group identifier obtained by the decrypting is stored forexample in the access control apparatus. The storage of the groupidentifier obtained by the decryption can be performed for example onlyif the (above-described) preconditions required for the storage of thesecond key of the new group key pair that is obtained by the decryptionare also fulfilled. The group identifier can serve as referenceinformation for checking an identifier—communicated as accessauthorization parameter—of that unit access control apparatus for whichthe access authorization information is intended, and can facilitate theselection of the second key of the key pair that is used in the firstchecking, as will be explained in even greater detail below.

In one exemplary embodiment of all the aspects of the invention, one ofthe communicated access authorization parameters is an identifier foronly one access control apparatus or a group of access controlapparatuses, wherein it is determined that the identifier authorizes foraccess if the identifier corresponds to an individual identifier of theaccess control apparatus that is stored in the access control apparatusand/or a group identifier for a group of access control apparatuses towhich the access control apparatus belongs. An identifier contained inthe access authorization information is thus used for assigning theaccess authorization information to an access control apparatus, eitheron the basis of the individual identifier thereof or on the basis of thegroup identifier thereof.

In one exemplary embodiment of all the aspects of the invention, one ofthe communicated access authorization parameters is an identifier foronly one access control apparatus or a group of access controlapparatuses, wherein it is determined that the identifier authorizes foraccess if the identifier corresponds to an individual identifier of theaccess control apparatus that is stored in the access control apparatusand/or a group identifier for a group of access control apparatuses towhich the access control apparatus belongs, wherein the first checkinformation of communicated access authorization information which hasan identifier for only one access control apparatus is generated byperforming cryptographic operations on the access authorizationparameters using at least one first key of the individual key pair, andwherein the first check information of communicated access authorizationinformation which has an identifier for a group of access controlapparatuses is generated by performing cryptographic operations on theaccess authorization parameters using at least one first key of thegroup key pair. An identifier contained in the access authorizationinformation is thus used for assigning the access authorizationinformation to an access control apparatus, either on the basis of theindividual identifier thereof or on the basis of the group identifierthereof. A further assignment of the access authorization informationtakes place by means of the selection of the group key pair: if theaccess authorization information contains an identifier for only oneaccess control apparatus, the first check information thereof isgenerated using the first key of the individual key pair (andcorrespondingly checked on the basis of the second key of the individualkey pair in the access control apparatus). However, if the accessauthorization information contains an identifier for a group of accesscontrol apparatus, the first check information thereof is generatedusing the first key of the group key pair (and correspondingly checkedon the basis of the second key of the group key pair in the accesscontrol apparatus).

By way of example, on the basis of the identifier, in particular on thebasis of a predefined format of the identifier, in the access controlapparatus, it is possible to identify whether the identifier is anidentifier for only one access control apparatus or an identifier for agroup of access control apparatuses is involved, such that either thesecond key of the individual key pair or the second key of the group keypair can be selected in the access control apparatus in each caseappropriately for the first checking. By way of example, a predefinedallocation of one or more predefined bit positions of the identifier canindicate whether an identifier for only one access control apparatus(e.g.: last bit position=“0”) or an identifier for a group of accesscontrol apparatuses (e.g.: last bit position=“1”) is involved.

In one exemplary embodiment of all the aspects of the invention, one ofthe communicated access authorization parameters is an identifier forthe access authorization information or for an access authorizationproving apparatus which communicates the access authorizationinformation to the access control apparatus, and it is determined thatthe identifier authorizes for access if the identifier is not containedin a rejection list stored in the access control apparatus. This isparticularly advantageous because as a result, in the case of loss ofthe access authorization proving apparatus with access authorizationinformation stored thereon, it is possible to block the affected accessauthorization information. The rejection list on the access controlapparatus can for example be updated on the access control apparatus byother access authorization proving apparatuses and then also compriserecently lost access authorization proving apparatuses/accessauthorization information, as will be described in even greater detailbelow.

One exemplary embodiment of all the aspects of the invention furtherprovides for obtaining information that is communicated to the accesscontrol apparatus and comprises at least one fourth key which isencrypted using at least the first key of the key pair and which isusable in an authentication of the access control apparatus vis-à-vis anaccess authorization proving apparatus that communicates the accessauthorization information to the access control apparatus, or in thecheck of the authenticity and/or integrity of information communicatedto the access control apparatus, and for decrypting the encrypted fourthkey using at least the second key of the key pair in order to obtain thefourth key. In contrast to the second key of the key pair or the keypair itself, which constitutes a secret between the access authorizationgeneration apparatus and the access control apparatus, the fourth key isassigned to the access authorization proving apparatus.

The fourth key together with a third key, for example, can form asymmetrical or asymmetrical key pair. The fourth key is made availableto the access authorization proving apparatus by the accessauthorization generation apparatus for example in encrypted form (usingthe first key of the key pair) as described above for communication tothe access control apparatus, and, in addition, for example the thirdkey can be made available to the access authorization proving apparatusin unencrypted form, for example in order that the access authorizationproving apparatus can thereby perform cryptographic operationsassociated for example with the authentication of the access controlapparatus vis-à-vis the access authorization proving apparatus or theenabling of the checking of the authenticity and/or integrity ofinformation communicated to the access control apparatus by the accesscontrol apparatus. The access control apparatus can then determine onthe basis of the decrypted fourth key, the second key of the key pairand the communicated access authorization information (with the firstcheck information contained therein), for example, that the accessauthorization information is intended for the access control apparatus(on the basis of the first check information and the second key of thekey pair as described thoroughly above) and was communicated by anaccess authorization proving apparatus that is authorized (by the accessauthorization generation apparatus) (checked by authentication vis-à-visthe access authorization proving apparatus by means of H or by checkingof the authenticity and/or integrity of information communicated to theaccess control apparatus by the access authorization proving apparatusby means of H). The information with the encrypted fourth key can becommunicated to the access control apparatus by the access authorizationproving apparatus for example in the same session in which the accessauthorization information is also communicated to the access controlapparatus by the access authorization proving apparatus.

One exemplary embodiment of all the aspects of the invention furtherprovides for obtaining information communicated to the access controlapparatus and comprising at least one combination—encrypted using atleast the first key of the key pair—of a fourth key and an identifierfor the access authorization information or for an access authorizationproving apparatus that communicates the access authorization informationto the access control apparatus, wherein the fourth key is usable in anauthentication of the access control apparatus vis-à-vis an accessauthorization proving apparatus that communicates the accessauthorization information to the access control apparatus, or in thecheck of the authenticity and/or integrity of information communicatedto the access control apparatus, and for decrypting the encryptedcombination using at least the second key of the key pair in order toobtain the fourth key and the identifier, wherein the identifier furtherconstitutes one of the communicated access authorization parameters, andwherein it is determined that the identifier contained in thecommunicated access authorization information authorizes for access ifthe identifier contained in the communicated access authorizationinformation corresponds to the identifier obtained by decrypting theencrypted information. The explanations containing the previousembodiment correspondingly apply to the present embodiment. In contrastto the previous embodiment, however, in the present embodiment, furtherthe fourth key as a result of the encryption together with theidentifier is linked to the identifier and thus also to the accessauthorization information or access authorization proving apparatusidentified by the identifier. What is advantageous here, firstly, isthat a possibility is provided for making available to the accesscontrol apparatus reference information for the check of theidentifier—contained in the access authorization information as accessauthorization parameter—of the access authorization information oraccess authorization proving apparatus, which (in contrast to otherreference information such as, for example, the identifier of the accesscontrol apparatus or the temporal information) is not present in theaccess control apparatus. Further, the access control apparatus can thendetermine, however, on the basis of the decrypted fourth key, thedecrypted identifier, the second key of the key pair and thecommunicated access authorization information (with the identifiercontained therein as access authorization parameter and the first checkinformation), that the access authorization information is intended forthe access control apparatus (on the basis of the first checkinformation and the second key of the key pair as described thoroughlyabove) and was communicated by an access authorization proving apparatusthat is authorized (by the access authorization generation apparatus)(checked by authentication vis-à-vis the access authorization provingapparatus by means of H or by checking of the authenticity and/orintegrity of information communicated to the access control apparatus bythe access authorization proving apparatus by means of H), and that theaccess authorization proving apparatus was authorized by the accessauthorization generation apparatus specifically for this accessauthorization information. The information with the encryptedcombination of the fourth key and the identifier can be communicated tothe access control apparatus by the access authorization provingapparatus for example in the same session in which the accessauthorization information is also communicated to the access controlapparatus by the access authorization proving apparatus.

One exemplary embodiment of all the aspects of the invention furtherprovides for obtaining information communicated to the access controlapparatus and comprising at least one combination—encrypted using atleast the first key of the key pair—of a fourth key and an identifierfor the access authorization information or for an access authorizationproving apparatus that communicates the access authorization informationto the access control apparatus, wherein the fourth key is usable in anauthentication of the access control apparatus vis-à-vis an accessauthorization proving apparatus that communicates the accessauthorization information to the access control apparatus, or in thecheck of the authenticity and/or integrity of information communicatedto the access control apparatus, and for decrypting the encryptedcombination using at least the second key of the key pair in order toobtain the fourth key and the identifier, wherein the identifier furtherconstitutes one of the communicated access authorization parameters, andwherein it is determined that the identifier contained in thecommunicated access authorization information authorizes for access ifthe identifier contained in the communicated access authorizationinformation corresponds to the identifier obtained by decrypting theencrypted information and the identifier is not contained in a rejectionlist stored in the access control apparatus. The explanations concerningthe two previous embodiments correspondingly apply to the presentembodiment. In the present embodiment, however, the identifier—containedin the encrypted combination or in the access authorizationinformation—of the access authorization information or accessauthorization proving apparatus fulfils a double function: firstly, itserves to ensure that the communicated access authorization informationoriginates from an access authorization proving apparatus authorized bythe access authorization generation apparatus (determined by comparisonof the identifier contained in the encrypted combination with theidentifier contained in the access authorization information) and,secondly, it is used for coordination with a rejection list that isstored in the access control apparatus and that thus constitutesreference information for the check of the access authorizationparameters represented by the identifier.

By way of example, the access authorization information communicated tothe access control apparatus can be stored in identical form on at leasttwo access authorization proving apparatuses, wherein this identicalaccess authorization information stored on the at least two accessauthorization proving apparatuses in each case has the same identifierfor the access authorization information and said access authorizationinformation is associated in each case with the same fourth key (that isto say that, for example, the respective identifier of the accessauthorization information is encrypted in each case as a combinationwith the same fourth key using the first key of the key pair, forexample in order to link the respective identifier to the fourth key).By way of example, a plurality or all of the access authorizationinformation pieces contained on the access authorization provingapparatus that communicates the access authorization information to theaccess control apparatus can also be associated with said fourth key,wherein the identifiers of these access authorization information piecesthat are intended in particular for different access control apparatusesdiffer. By way of example, all of the access authorization informationpieces contained on a plurality of access authorization provingapparatuses can also be associated with said fourth key. There is thenfor example (at least at one point in time) only a single fourth key forthe access authorization proving apparatuses and the accessauthorization information thereof. The identifier of the accessauthorization information is then for example in each case only specificto the access control apparatus for which the access authorizationinformation is intended, but is not specific to the access authorizationproving apparatus on which the access authorization information isstored.

The use of an identical fourth key for a plurality of different accessauthorization information pieces on a plurality of access authorizationproving apparatuses and the use of identifiers that are specific only tothe access control apparatuses but are not specific to the accessauthorization proving apparatus, particularly in the case of largenumbers of access authorization proving apparatuses and access controlapparatuses relative to fourth keys chosen individually per accessauthorization proving apparatus and identifiers of the accessauthorization information that are individual for each pairing of accesscontrol apparatus and access authorization proving apparatus, can allowa considerable reduction of the complexity associated with thegeneration and assignment of the fourth key and the access authorizationinformation, since access authorization information has to be generatedonly for each access control apparatus and the number of combination ofthe fourth key with the identifier of the access authorizationinformation which has to be encrypted using the first key of the keypair for a respective access control apparatus likewise corresponds onlyto the number of access control apparatuses. However, thissimplification entails the disadvantage that any access authorizationproving apparatus can then obtain access to all access control apparatuswhose access authorization information it contains. Therefore, theaccess authorization information is linked only to a respective accesscontrol apparatus, but not to a specific access authorization provingapparatus. In other words, if for example a group of M accessauthorization proving apparatuses (e.g. deliverer devices) is equippedin each case with access authorization information for N differentaccess control apparatuses (e.g. parcel boxes) (wherein the accessauthorization information for a specific access control apparatus isidentical on each of the M access authorization proving apparatuses andonly the access authorization information pieces for different accesscontrol apparatuses differ in each case), in order that each of saidaccess authorization proving apparatuses can bring about access to eachof the N access control apparatuses, in the case of loss of an accessauthorization proving apparatus the N access authorization informationpieces stored on said access authorization proving apparatus can belocked only by the identifiers for said N access authorizationinformation pieces being entered in respective rejection lists on all ofthe N access control apparatuses. In that case, however, it is also nolonger possible for any of the other M−1 access authorization provingapparatuses to claim access to the N access control apparatuses. Thisdisadvantage resulting from a simplified management possibility can beeliminated by a series of measures, as explained below.

By way of example, it can be provided that the access authorizationinformation communicated to the access control apparatus has a limitedtemporal validity (which is for example 1 month, 2 weeks, 1 week, 3 daysor 1 day) and/or has only a limited permissible number of accessprocesses within its period of validity (for example fewer than 5, 4 or3 access processes) and/or can be or is only communicated to the accesscontrol apparatus by the access authorization proving apparatus if it isdetermined at the access authorization proving apparatus that there is aneed for the access to the access control apparatus (for example becausea parcel or an piece of mail is intended to be inserted into orretrieved from a parcel box controlled by the access control apparatus).

The limitation of the temporal validity and/or of the number of thepermissible number of access processes reduces the possibilities formisuse with regard to time and with regard to the number of possiblemisuse actions per access control apparatus. Taking account of the needfor access restricts the possibilities of misuse to the access controlapparatuses for which access processes are actually necessary, which isusually only a small portion of the access control apparatuses for whichan access authorization proving apparatus has stored accessauthorization information. The need for access can be determined forexample on the basis of mail data stored on the access authorizationproving apparatus, e.g. a deliverer device. By way of example, thedeliverer can optically scan, acquire via radio or read anidentification of the mail from a parcel and input it into the delivererdevice. The deliverer device can then for example determine the maildata associated with the identification in the deliverer device and, onthe basis of a coordination of the address data (e.g. zip code, streetand house number) of the mail and of the addressees—also stored in thedeliverer device—of the parcel boxes and/or of the addresses of theusers of parcel boxes, select that parcel box for which the mail isintended. By way of example, the deliverer can then communicate theaccess authorization information only to this parcel box. By means ofthese measures, for example, the blocking of identifiers for accessauthorization information stored on an access authorization provingapparatus that has gone astray can be completely dispensed with, undercertain circumstances, and/or the length of the rejection listsmaintained in the access control apparatus can thus be significantlyreduced (for example they then contain only identifiers of accessauthorization information stored on lost tags, but not those of accessauthorization information stored on deliverer devices that have goneastray).

By way of example, the access authorization information communicated tothe access control apparatus can be stored in identical form on at leasttwo access authorization proving apparatuses, wherein said at least twoaccess authorization proving apparatuses in each case have the samethird key. Therefore, on the at least two access authorization provingapparatuses (or, for example, on all the access authorization provingapparatuses of a group of access authorization proving apparatuses) thesame third key is used, which together with the fourth key forms asymmetrical or asymmetrical key pair. Therefore, for example, theauthentication of said access authorization proving apparatusesvis-à-vis the access control apparatus takes place using the same thirdkey. The disadvantage of potentially slightly reduced security that isassociated with the use of an identical third key for a plurality ofaccess authorization proving apparatuses (or, for example, all of agroup or of the system), which enables a considerable reduction of thewith the generation and distribution of the third key among the accessauthorization proving apparatuses (and also of the generation and use ofthe fourth key), can however be alleviated or eliminated by one or aplurality (e.g. all) of the measures outlined in the previous section.

The fourth key can further or alternatively also be used for thepurposes described below.

By way of example, the fourth key together with a third key forms asymmetrical or asymmetrical key pair, the communicated accessauthorization information further comprises third check information, andat the access control apparatus further second checking is performed,using at least one challenge generated by the access control apparatus,the communicated access authorization parameters, the communicated firstcheck information, the communicated third check information and thefourth key, whether the communicated third check information wasgenerated by performing cryptographic operations on informationcorresponding to the generated challenge, the communicated accessauthorization parameters and the communicated first check information,using at least the third key, wherein a further necessary condition forgranting the access is that the second checking yields a positiveresult. The challenge can be for example random information (e.g. abinary random number sequence) that is communicated to the accessauthorization proving apparatus by the access control apparatus. On thebasis of the challenge, the access authorization parameter, the firstcheck information and the third key, by performing cryptographicoperations, the access authorization proving apparatus can generate thethird check information, for example according to one of the methodsthat have already been described above for the generation of the firstcheck information. If the fourth key is part of a symmetrical key pair,the cryptographic operations can generate for example an MAC as thirdcheck information, or a digital signature can be generated if the fourthkey is part of an asymmetrical key pair. By means of the secondchecking, the access control apparatus can check in particular theauthenticity and integrity of the access authorization parameters andfirst check information communicated by the access authorization provingapparatus, in other words that they were communicated by the accessauthorization proving apparatus and were not altered. In this case, theuse of the challenge affords protection against replay attacks. This useof the fourth key can be applied for example if the access authorizationinformation is communicated to the access control apparatus from a userdevice (e.g. a cellular phone) or a deliverer device (e.g. a handheldscanner), for example by Bluetooth transmission.

Alternatively, the fourth key can be used in authenticating vis-à-vis anaccess authorization proving apparatus that includes the accessauthorization information, using at least the fourth key, wherein theaccess authorization information is communicated to the access controlapparatus by the access authorization proving apparatus only in theevent of successful authentication. If the fourth key (and hence thethird key as well) is a symmetrical key, for example, the access controlapparatus and the access authorization proving apparatus can for examplemutually verify that they each have the symmetrical key, for example byencryption of challenges obtained from the other party and a localcountercheck. If the access authorization proving apparatus is forexample a tag, for example an NFC tag from the Mifare tag from NXP, thesymmetrical key can be stored in the tag and the access controlapparatus can be granted access (in particular to the accessauthorization parameters and the first check information, which arestored for example in an “application” of the tag) only if both the tagand the access control apparatus accessing the tag have mutuallyverified that they have the symmetrical key (for example by means of aso-called three-pass mutual authentication).

One exemplary embodiment of all the aspects of the invention furtherprovides for obtaining rejection information communicated to the accesscontrol apparatus and comprising at least one new rejection list withidentifiers for access authorization information to be rejected or foraccess authorization proving apparatuses from which access authorizationinformation is to be rejected at the access control apparatus, andfourth check information at the access control apparatus, and forstoring the communicated new rejection list on the access controlapparatus only under the precondition that it is determined in a checkbased at least on the communicated fourth check information, the secondkey of the key pair and the communicated rejection information, that thecommunicated fourth check information was generated by performingcryptographic operations on the rejection information corresponding tothe communicated rejection information using at least the first key ofthe key pair. On the basis of the fourth check information, at theaccess control apparatus the authenticity and integrity of the rejectioninformation obtained can be checked, for example on the basis of one ofthe methods such as have already been explained above for the firstcheck information. The rejection information and/or the fourth checkinformation are/is for example generated by the access authorizationgeneration apparatus and communicated to the access control apparatus bythe access authorization proving apparatus. A new rejection list can becommunicated to the access control apparatus, for example, as soon as ithas become known that at least one identifier of access authorizationinformation or of an access authorization proving apparatus is to beblocked, for example on account of the loss of an access authorizationproving apparatus. On the access control apparatus, as already explainedabove, a precondition for permitting access may be that the identifierof the access authorization information with which access is sought isnot contained on the rejection list.

The rejection information can for example further comprise a counterthat is incremented with each new rejection list, wherein the newrejection list is stored in the access control apparatus only under thefurther precondition that the value of the counter comprised by therejection information is greater than a value of a counter provided inthe access control apparatus, and wherein the value of the counter ofthe access control apparatus is updated to the value of the countercomprised by the rejection information in or after the storage of thenew rejection list in the access control apparatus. It is therebypossible to prevent an attempt from being made to enable an oldrejection list (which for example does not contain identifiers that arecurrently to be blocked) to be installed on the access controlapparatus.

The rejection information can for example further comprise an identifierof only one access control apparatus or a group of access controlapparatuses on which the new rejection list is intended to be stored,wherein the new rejection list is stored in the access control apparatusonly under the further precondition that an individual identifier of theaccess control apparatus that is stored in the access control apparatusor a group identifier for a group of access control apparatuses thatcontains the access control apparatus corresponds to the identifiercomprised in the rejection information. This identifier ensures that therejection list can only be installed on a specific access controlapparatus or group of access control apparatuses.

The above-described exemplary embodiments and exemplary configurationsof all the aspects of the present invention should also be understood tobe disclosed in all combinations with one another.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

Further advantageous exemplary configurations of the invention can begathered from the following detailed description of some exemplaryembodiments of the present invention, in particular in conjunction withthe figures. However, the figures accompanying the application areintended to serve only for the purpose of clarification, but not forextending the scope of protection of the invention. The accompanyingdrawings are not necessarily true to scale and are merely intended toreflect by way of example the general concept of the present invention.In particular, features contained in the figures ought not under anycircumstances be deemed to be a necessary part of the present invention.

In the figures:

FIG. 1: shows a schematic illustration of one exemplary embodiment of asystem according to the present invention;

FIG. 2: shows a schematic illustration of one exemplary embodiment of anapparatus according to the present invention;

FIG. 3: shows a schematic illustration of a further exemplary embodimentof a system according to the present invention;

FIG. 4: shows a flow diagram of one exemplary embodiment of acommunication of access authorization information between a handheldscanner/cellular phone and a parcel box according to the presentinvention;

FIG. 5: shows a flow diagram of one exemplary embodiment of acommunication of access authorization information between a tag and aparcel box according to the present invention;

FIG. 6: shows a flow diagram of one exemplary embodiment of acommunication of rejection information between a handheldscanner/cellular phone/tag and a parcel box according to the presentinvention;

FIG. 7: shows a flow diagram of one exemplary embodiment of acommunication of group key information between a handheldscanner/cellular phone/tag and a parcel box according to the presentinvention;

FIG. 8: shows a flow diagram of one exemplary embodiment of acommunication of keys and access authorization information between thekey server and further components of an exemplary system according tothe invention;

FIG. 9: shows a schematic illustration of the distribution of group keysand access authorization information in an exemplary system according tothe invention;

FIG. 10: shows a schematic illustration of the assignment of parcelboxes to different delivery areas in accordance with one exemplaryembodiment of the invention; and

FIG. 11: shows a flow diagram of the possible order of operations in oneexemplary embodiment of a parcel box according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

An overview of one exemplary embodiment of a system 1 according to theinvention is illustrated in FIG. 1. The system comprises an accessauthorization generation apparatus 2, an access authorization provingapparatus 3 and an access control apparatus 4. Particularly the accessauthorization proving apparatus 3 and the access control apparatus 4 canbe present multiply, but are constituted only singly in each case forreasons of simplifying the illustration. The components 2, 3 and 4constitute respective exemplary apparatuses in accordance with thefirst, second and third aspects of the invention, the properties ofwhich have already been thoroughly outlined. FIG. 1 therefore servesprimarily for clarification of what keys are stored in the individualcomponents and what information is exchanged between the components.Access authorization generation apparatus 3 stores in particular thefirst individual key S₁ and optionally also a first group key S_(T1),which together with a second individual key S₂ and a second group keyS_(T2), respectively, in the access control apparatus 2 respectivelyform an individual key pair (S₁, S₂) and a group key pair (S_(T1),S_(T2)). These pairs can each form a symmetrical or asymmetrical keypair, wherein both keys are identical in the case of a symmetrical keypair, that is to say that e.g. S₁=S₂=S and/or S_(T1)=S_(T2)=ST hold(s)true, and S₁≠S₂ and/or S_(T1)≠S_(T2) hold(s) true in the case of anasymmetrical key pair.

The access authorization proving apparatus 2 generates and transmits oneor more of the following pieces of information to the accessauthorization proving apparatus 3:

-   -   access authorization information B and first check information        V,    -   the fourth key H₄ encrypted with S₁ or S_(T1), in the context of        the information A,    -   a third key H₃,    -   the group key information W and the second check information        V_(W), and/or    -   the rejection information L and the fourth check information        V_(L).

This information can be transmitted for example at least partly (orcompletely) within the same communication session between the accessauthorization generation apparatus 2 and the access authorizationproving apparatus 3 (that is to say for example between the setting upand clearing down of a communication connection between the accessauthorization generation apparatus 2 and the access authorizationproving apparatus 3), or else in different communication sessions.However, the group key information W can be transmitted for example lessfrequently than the for example the access authorization information Band the rejection information L, since the need to change them arisesless often.

This information can be transmitted from the access authorizationgeneration apparatus 2 to the access authorization proving apparatus 3at least partly wirelessly (e.g. via mobile radio or WLAN), particularlyif the access authorization proving apparatus 3 is a portable userdevice (e.g. a cellular phone) or a portable deliverer device (e.g. ahandheld scanner). In this case, the transmission does not have to beperformed directly, but rather can be performed via one or moreintermediate stations (e.g. the decentralized units that will bediscussed further below), as will be discussed in even greater detailbelow. If the access authorization proving apparatus 3 is a tag (e.g. anRFID or NFC tag), the transmission of the information should beunderstood as logical and can mean, for example, that the information iscommunicated to a server of a production system for the tags and storedthere in the tags.

The third key H₃ and the fourth key H₄ here again form a key pair (H₃,H₄), which for example can be symmetrical, that is to say H₃=H₄=H, orcan be asymmetrical, that is to say H₃≠H₄.

From the pieces of information communicated to the access authorizationproving apparatus 3 by the access authorization generation apparatus 2,in principle each piece of information, apart from the third key H₃, canbe communicated further to the access control apparatus 4 by the accessauthorization proving apparatus 3 and can then be used in the accesscontrol apparatus 4 for checking whether this information is authenticand has integrity and whether—in the case of the access authorizationinformation—the operator of the access authorization proving apparatus 3is permitted to be granted access.

In this case, the third key H₃ is stored in the access authorizationproving apparatus 3 and used for example in the context of the mutualauthentication between access authorization proving apparatus 3 andaccess control apparatus 4, wherein the latter has received thecounterpart to the third key H₃, namely the fourth key H₄, communicatedin encrypted form (information A) and, after decryption, stores it atleast temporarily.

FIG. 2 shows a schematic illustration of one exemplary embodiment of anapparatus 5 according to the present invention. Apparatus 5 canrepresent for example the access authorization generation apparatus 2,the access authorization proving apparatus 3 or the access controlapparatus 4 from FIG. 1.

Apparatus 5 comprises a processor 50 with assigned main memory 52 andprogram memory 51. The processor executes for example programinstructions stored in the program memory 51. The program instructionsperform the method in accordance with the first, second or third aspectof the invention and/or control it. Thus, the program memory 51 containsa computer program according to the first, second or third aspect of theinvention and constitutes a computer program product for storing it.

The program memory 51 can be for example a persistent memory, such as aread-only memory (ROM), for example. The program memory can for examplebe fixedly connected to the processor 50, but can alternatively also bereleasably connected to the processor 50, for example as a memory card,floppy disk or optical data carrier medium (e.g. a CD or DVD). Furtherinformation can also be stored in the program memory 51, or in aseparate memory. If apparatus 5 is the access authorization generationapparatus 2, this information can include for example the keys S₁ and/orS_(T1) and/or the keys H₃ and/or H₄, as well as, for example,information about the access control apparatus for which accessauthorization information is intended to be generated (e.g. theidentifier of the access control apparatus) and information concerningthe access authorization information, the group key information and/orthe rejection information and the assigned check information thereof. Ifapparatus 5 is the access authorization proving apparatus 3, saidinformation can include for example the information obtained from theaccess authorization generation apparatus 2 (in particular B, V, W,V_(W), L, V_(L), A, H₃). If apparatus 5 is the access control apparatus4, said information can include the keys S₂ and/or S_(T2) and alsoreference information on the basis of which obtained accessauthorization parameters are checked to determine whether they provideauthorization in each case for granting access (e.g. an identifier ofthe access control apparatus, a rejection list, one or more counterse.g. for group key information or rejection information, etc.).

The main memory 52 is used for example for storing temporary resultsduring the processing of the program instructions; this is for example avolatile memory, such as a random access memory (RAM), for example.

The processor 50 is further operatively connected to a communicationunit 53, which enables information to be exchanged with externalapparatuses, for example.

If the apparatus 5 represent the access authorization generationapparatus 2, the communication unit 53 can be configured for example forcommunication via a network such as the Internet, for example, in orderto be able to transmit information for example to one or more thefollowing units:

-   -   to a server of a manufacturer of access control apparatuses 4        (cf. server 72 in FIG. 9) and/or    -   to a server of a manufacturer of access authorization proving        apparatuses 3 (cf. server 73 in FIG. 9), and/or    -   to an interface server of a mobile communication network via        which information is intended to be transmitted wirelessly to an        access authorization proving apparatus 3 (e.g. a cellular phone        or a handheld scanner), and/or    -   to a management server (e.g. provision server 66 in FIG. 3),        under the control of which the distribution of the information        to decentralized units (see 71-2 in FIG. 8) for transmission to        access authorization proving apparatuses 3 (e.g. deliverer        devices) takes place, and/or    -   at least indirectly to a computer (e.g. a decentralized unit        71-2 in FIG. 8), by which or under the control of which the        information is then intended to be communicated to access        authorization proving apparatuses 3 (e.g. deliverer devices)        (for example wirelessly (e.g. via a LAN) or in a wired manner        (e.g. via a WLAN)).

If the apparatus 5 represents the access authorization proving apparatus3 in the form of a user device or deliverer device, the communicationunit 53 can comprise the following, for example:

-   -   a mobile radio interface for receiving information from the        access authorization generation apparatus 2,    -   an interface for wireless (e.g. by WLAN) or wired reception        (e.g. via a docking station) of information of an apparatus (for        example a decentralized unit) to which the access authorization        generation apparatus 2 transmitted this information for        transmission to the access authorization proving apparatus 3,    -   a radio interface for communication with the access control        apparatus 2, in particular a Bluetooth interface and/or an RFID        interface and/or NFC interface.

If the apparatus 5 represents the access authorization proving apparatus3 in the form of a tag, the communication unit 53 can comprise thefollowing, for example:

-   -   a radio interface for communication with the access control        apparatus 2, in particular a Bluetooth interface and/or an RFID        interface and/or an NFC interface.

The apparatus 5 can also contain further components, for example agraphical user interface, in order to permit an operator to interactwith the apparatus 5, particularly if apparatus 5 constitutes an accessauthorization proving apparatus 3 in the form of a user device ordeliverer device. If apparatus 5 constitutes a deliverer device, theapparatus 5 can comprise for example a unit for in particular opticallydetecting information (e.g. a scanner), and/or for example a userinterface for detecting handwritten inputs, such as e.g. a signature.

If apparatus 5 represents an access control apparatus 4, a for exampleoptical and/or acoustic user interface can likewise be provided, inorder to be able to output to the operator for example information aboutthe status of the access control apparatus 4 and/or about the success ofan attempt to be granted access at the access control apparatus 4 withaccess authorization information. In the case of an access controlapparatus 4, the apparatus 5 can also comprise control means forcontrolling a locking unit (e.g. for unlocking same) depending on thedecision whether access can be granted. The locking unit can comprisefor example an in particular electronically controllable lock. In thecontext of the description of the exemplary embodiments in FIGS. 3-10, aunit comprising at least the processor 50, the memories 51 and 52 andthe locking unit is referred to as “lock”. In the case of an accesscontrol apparatus 4, the apparatus 5 can further also comprise one ormore sensors, for example for detecting a current locking state of thelocking unit. In the case of an access control apparatus 4, theapparatus 5 can comprise for example a battery (whether or not e.g.rechargeable), in particular as sole power supply. In the case of anaccess control apparatus 4, the apparatus 5 can have for example noconnection to a wired network, that is to say in particular noconnection to a LAN, and/or for example no connection to a WLAN or amobile radio network (in particular a cellular mobile radio network).

In the case of an access authorization proving apparatus 3 in the formof a tag, the apparatus 5 can comprise for example no dedicated powersupply and draw its energy for communication from the field of a readingunit of the access control apparatus 4. In the case of such a tag, it isalso possible for no user interface to be present.

The components 50-53 can be embodied for example jointly as a module orunit, or can be embodied at least partly as individual modules, in orderto ensure easy exchangeability in the event of possible defects.

A concretized exemplary embodiment of an access control system 6according to the invention, which is illustrated in FIG. 3, is presentedbelow with reference to FIGS. 3-10. In the case of this access controlsystem 6, the access authorization generation apparatus 2 is embodied asa key server 60, the access control apparatuses 4 are embodied as parcelboxes 69 (or units thereof that control access, in particular “locks”)that are assigned to users 63 (e.g. users registered for use of theparcel boxes), and the access authorization proving apparatuses 3 areembodied as handheld scanners 68 or tags 74 of deliverers 70 or ascellular phones 61 or tags 62 of users 63, which are referred to overallas “token”. The users 63 here are for example the owners of parcel boxesor other persons (e.g. from the same household or the neighborhood) whohave registered themselves to receive mail in a specific parcel box 69or to be able to have said mail collected from said parcel box. Theusers 63 are also referred to as parcel box users. The deliverers 70 canbe for example parcel deliverers, combination deliverers (who deliverboth letters and parcels) or letter deliverers. For the parceldeliverers and combination deliverers it is important, for example, tobe able to open the parcel box in order to deliver parcels therein or tobe able to retrieve parcels therefrom. For combination deliverers andletter deliverers it is important, for example, to be able to open theparcel box in order that large-format letters (e.g. maxi-letters) which,under certain circumstances, do not fit through a letter slot of theparcel box can be delivered into the parcel box by the latter beingopened.

However, the concretization of the components 2, 3 and 4 that iseffected in FIGS. 3-10 and the associated description serves only forexplanation purposes and ought not to be understood as essential orrestrictive. In particular, the interaction of the thus concretizedcomponents 2, 3 and 4 also in general form—that is to say detached fromthe concrete embodiment of these components—should be understood asdisclosed. This likewise applies to the transmission techniquesconcretized for explanation purposes, in particular Bluetooth and NFC,which should be understood merely as an example of one possible form ofthe wireless communication between access authorization provingapparatuses 3 and access control apparatuses 4. A parcel box 69 is acontainer having at least one lockable door which is configured at leastto receive parcels, for example at least one parcel having thedimensions 45×35×20 cm (which corresponds to a so-called “Packset L”),or at least two or three of such parcels. The parcel box 69 can alsohave a letter compartment (but alternatively can also have no lettercompartment), into which letters can be inserted for example through aletter slot with or without a covering flap. The letter compartment canbe lockable with its own door (with a mechanical or electronic lock) orcan alternatively be locked by means of a door of the parcel box 69together with a parcel compartment provided for receiving the parcels.If a door for the parcel compartment and a door for the lettercompartment are respectively provided, for example a common accesscontrol apparatus can be provided, which either opens one door (e.g. thedoor of the parcel compartment, e.g. for the deliverer 70) or opens bothdoors (e.g. for the user 63), depending on the access authorization. Theparcel box 69 can be provided for mounting in or on a wall, for examplea house wall, or as a free-standing unit for fixing to the ground, e.g.in front of a house. The user 63 is notified of newly delivered mail(parcels and/or letters) for example via email and/or SMS. It is alsopossible for the user 63 to insert franked mail into the parcel box 69and to request collection online or over the telephone. If no collectionis ordered, the mail is collected, under certain circumstances, withsomewhat of a delay when a deliverer opens the parcel box the next timeand finds the mail there. As evidence of collected mail, a receipt isleft in the parcel box by the deliverer, for example.

The key server 60 is operated for example in a suitable computer centerof a delivery company, in particular of Deutsche Post DHL. It generateskeys and access authorizations and communicates them in particular tothe provision server 66. As will be described in even greater detailbelow with reference to FIG. 8, the provision server, from the accessauthorizations (and also keys, if appropriate) obtained from the keyserver 66, makes a selection of access authorizations required forrespective delivery areas, augments this information with addressinformation of parcel boxes and/or the users thereof (and also, ifappropriate, the MAC addresses of the locks of the parcel boxes 69, withthe aid of which the handheld scanners 68 can initiate a Bluetoothconnection, without time-consuming Bluetooth pairing being necessary)obtained from the parcel box management system 65, and makes thisinformation available to the handheld scanners 68 directly orindirectly. In this case, the selection is based on so-called areacutting, that is to say the assignment of mail to be delivered orcollected to delivery areas for which the deliverers 70 can registerwith their handheld scanners 68, this area cutting being performed bythe assignment server 67, which has access to the mail data.

In parallel the parcel recipients 63 obtain their keys and accessauthorization information which they can use to open the parcel boxes69. The purchase of a parcel box 69 by a user 63 and/or the registrationfor a parcel box 69 are/is performed for example via an online portal 64(e.g. the domain www[dot]Paket[dot]de) that exchanges information inthis regard with the server of the parcel box management 65. In additionor as an alternative to the handheld scanners 70 of the deliverers, tags74 are also provided, which can be used by the deliverers 70 (inparticular letter deliverers) to open in each case a plurality of parcelboxes 69, for example all the parcel boxes 69 of a delivery area. Saidtags are also referred to hereinafter as Group Lock Access (GLA) token.In a similar manner, tags 62 are also provided for the users 63 inaddition or as an alternative to the cellular phones 61, which tags,however, generally only open the parcel box 69 respectively assigned toa user 62, said tags also being referred to hereinafter as IndividualLock Access (ILA) token. The access authorization information and keyscontained on the tags 62, 74 are likewise generated by the key server 60and then stored on the tags, as is indicated by the dashed lines in FIG.3.

If the user 63 uses a cellular phone for opening the parcel box 69, saidcellular phone can communicate with the key server 60 for example via asoftware application (referred to hereinafter as “app”). The app itselfand/or its communication with the key server 60 can be configuredparticularly securely here, for example by measures such as encryptedcommunication, version control, hardening, password protection, etc.

Firstly, the components of the access control system 6 in FIG. 3 aredescribed in greater detail below.

Locks

Locks are integrated in the parcel boxes 69 used by delivery companiesto deliver both parcels and letters to customers 63. Since letters andparcels ought to be delivered exclusively to the original recipient 63,the parcel boxes 69 are responsible for the actual accessauthorizations. Accordingly, the parcel boxes 69 are equipped with (moreparticularly electronically controllable) locks and a communicationinterface. Further, they include the logic for obtaining accessauthorizations and proving and ensuring the access, that is to say theopening. Parcel boxes 69 are either owned by individual customers 63 orshared by different customers 63.

Access Authorizations

Deliverers 70 or users 63 are granted access to parcel boxes 69 only ifthey are in possession of a valid access authorization. Accessauthorizations comprise one or more of the access authorizationparameters already described. In this case, access authorizations arereproduced in electronic form and written on a physical token. An accessauthorization can be limited both with regard to a period of use (notbefore and not later) and with regard to the number of their uses—foropening a lock.

Physical Tokens

A physical token includes the access authorization. There are threedifferent types here: handheld scanners 68, NFC tags 62, 74 and cellularphones 61, for example smartphones 61. In this case, handheld scanners68 are used for example exclusively by deliverers 70 for delivery andcollection of mail (e.g. parcels). Cellular phones 61 are typically usedby the customers 63. NFC tags 62, 74 can be used both by deliverers 70and by users 63. While delivery personnel 70 who deliver letters that donot fit in the letter slot of the parcel box 69 need access to a groupof parcel boxes 69, users 63 and parcel deliverers 70 with handheldscanners 68 require individual access to parcel boxes 69. Therefore,Group Lock Access (GLA) tokens (for group access) and Individual LockAccess (ILA) tokens (for individual access) are differentiated and usedin the system in FIG. 3. Therefore, ILA tokens are used on the cellularphone 62 of a user 63, the NFC tag 62 of a user 63 and the handheldscanner 68 of a (parcel) deliverer 70, while GLA tokens are used on theNFC tags 74 of a (letter) deliverer 70.

Key Server

The key server 60 manages all the access authorizations of the system 6.In particular it contains information about all the users 63, all theparcel boxes 69 and the associated access rights. Therefore, it alsogenerates the actual access authorizations that can be used on thephysical tokens.

Cryptographic Keys of the Locks

Each lock of a parcel box 69 has two keys used for differentiatingbetween the types of tokens discussed above.

For ILA tokens: A lock has an individual key S₂. In order to open alock, an ILA requires a valid access authorization B. The key S₂ is usedto verify the access authorization B. Further, the key S₂ is used tovalidate a rejection list and/or group key information. The key S₂together with a key S₁ forms a key pair, which can be symmetrical orasymmetrical. In the case of a symmetrical key S₁=S₂, for exampleAES-128 is used as symmetrical cryptographic primitives and is used forthe encryption of, for example, the so-called Cipher Block Chaining(CBC) mode together with a random initialization vector (IV). The IV canbe generated individually by a random number generator (RNG) for examplefor each encryption and be transmitted for example as plain text. In thecase of an asymmetrical key pair, for example, a digital signature isprovided for checking integrity.

For GLA tokens: A lock has a group key S_(T2). In order to open thelock, a GLA token requires a valid access authorization B. In this case,the key S_(T2) is in turn used to verify the access authorization B. Thekey S_(T2) together with a key S_(T1) forms a key pair, which can besymmetrical or asymmetrical.

The keys S₂ and S_(T2) are generated in the process for producing thelock, for example, and are stored in the lock. Both keys must beadequately protected in the lock against unauthorized accesses. Bothkeys, together with management data of the lock and a unique identifier(LockID), are communicated to the key server 60 and stored there. Thekey server 60 then uses the keys S₁ and S_(T1) for cryptographicprotection of the access authorizations—in order to allow theverification of the validity of the access authorizations at thelock—and the key S₁ further for protection of the rejection list and thegroup key information.

Cryptographic Keys for ILA Tokens

Each ILA token is equipped with a third key H₃, which together with afourth key H₄ forms a symmetrical (that is to say H₃=H₄) or asymmetrical(that is to say H₃≠H₄) key pair (H₃, H₄). Said key H₃ is used forauthentication of the ILA token at the lock to which the key H₄ is madeavailable at least temporarily. In this case, the key server uses thekey pair (H₃, H₄) in order to ensure access authorization to the lock bythe ILA token. During the initialization of the ILA token, in theprocess the key H₃ is installed and stored on the key server.

The key H₃ can further be issued for a group of ILA tokens. In thiscase, all the ILA tokens of a group are then equipped with the same keyH₃. A plurality of keys can exist in parallel on an ILA token, that isto say that one or more group keys can be present alongside one or moreindividual keys on an ILA token. (Even though mention is made here ofgroups of tokens, these should nevertheless be regarded as individualaccess authorizations that allow access to individual locks rather thanto groups of locks.)

A group key can be installed on the device during or after theinitialization process, but the key must exist on the device at allevents prior to use.

Cryptographic Keys for GLA Tokens

Each GLA token is equipped with a key H₃ which, together with a key H₄,forms a symmetrical or asymmetrical key pair (H₃, H₄). The key H₃ isused to obtain access to a group of locks that have the key H₄ at leasttemporarily. The key server uses the key pair (H₃, H₄) to allocateaccess authorizations for a group of locks to the GLA token.

The key H₃ is installed on the device during the initialization processand is stored on the key server.

Structure of the Access Authorizations

Access authorizations are granted by the key server. An accessauthorization can contain one or more of the following accessauthorization parameters:

-   -   KeyID: ID of the access authorization (allocated by the key        server)    -   LockID: ID of the lock        -   For ILA tokens: The lock number and MAC address are            communicated to the key server by the task management. Part            of the LockID can be used for example to differentiate or to            identify different lock manufacturers.        -   For GLA tokens: In this case, the LockID is the ID of the            group to which the parcel box with the concrete key belongs.    -   NotBeforeDate: Date “valid from” with year/month/day    -   NotAfterDate: Date “valid until” with year/month/day    -   StartTimeOfDate: Time of day starting from when the access        authorization is valid (standard e.g. 00:00:00)    -   EndTimeOfDay: Time of day until when the access authorization is        valid (standard e.g. 23:59:59)    -   MaxUses: Number of uses; standard 0 means “unlimited”    -   Permissions: Setting permission for safety-critical operations,        e.g. whether it is permitted to open the parcel compartment        and/or to open the parcel compartment and the letter        compartment.

An access authorization can be identified by a unique KeyID. The“LockID” describes the lock (or the group of locks) for which the accessauthorization is valid. In this case, for example, a predefined numberof bit positions of the LockID (e.g. four bits) can carry a coding thatindicates whether an individual identifier or a group identifier isinvolved. With such a code, the lock can recognize which key it issupposed to use for the decryption: the individual key S₂ or one ofgroup keys S_(T2). The manufacturer from which the lock originates canalso be coded in this code, or in other bit positions of the LockID.

It may happen that a lock must include a plurality of group keys if theparcel box is situated in a zone that constitutes an overlap of twodelivery groups. This will be explained in even further detail below.

The two parameters “NotBeforeDate” and “NotAfterDate” define the periodof validity of the access authorization, with the accuracy of one day.“NotBeforeDate” defines the date of the first use and “NotAfterDate”defines the last date in the period of validity. Further,“StartTimeOfDay” specifies the time of day from when the period ofvalidity begins, and “EndTimeOfDay” specifies when said period ofvalidity ends. The accuracy is one second, for example. However, otherpossibilities for the definition of validity intervals are alsoconceivable, for example in the form of a printer or index that refersto individual entries of a plurality of predefined periods of validitywhich for example are stored in each case in the key server and in thelock or can be calculated from the index according to a predefined rule.By way of example, in the case of access authorizations that are validfor a respective date, just the date of validity can be used as accessauthorization parameter, said date being specified for example as anoffset with regard to a predefined reference date (e.g. Jan. 1, 2014),that is to say for example as “20” if the access authorization isintended to be valid on Jan. 21, 2014. “MaxUses” defines how often thekey can be used to open a lock. In this case, the value “0” stipulatesfor example that the key is permitted to be used without limitation inthe period of time. “Permissions” codes, for example by the setting ofindividual bits in a bit string, what security-critical operations atoken is permitted to perform, as has already been enumerated above byway of example (a bit set to 1 then indicates for example in each casethe presence of the authorization).

The key server grants an access authorization B for a lock. Depending onthe type of token, the server generates the value V, as the result ofcryptographic operations on the access authorization B using the key S₁or the key S₂. The cryptographic operations can designate for examplethe formation of an MAC value by means of B with a symmetrical key S₁ orthe formation of a digital signature by means of B using an asymmetricalkey S₁, to give just a couple of non-restrictive examples.

Structure of the Rejection List

KeyIDs can be locked for a lock by rejection lists from the key server60. In this case, the list contains all KeyIDs of the accessauthorizations which were revoked for an associated period of time ofthe access authorizations by the lock. Access authorizations that are nolonger valid on account of their period of validity are removed from thelist, for example, in order to keep said list short and thus to ensure alow storage requirement in the locks. It is for example not possible toreverse a revocation of an access authorization once said revocation hasbeen initiated. If an access authorization has been revoked, it is nolonger possible to open the lock using this access authorization.

The key server 60 generates the rejection information L (which containsthe rejection list) and check information VL, which for example is againbased on cryptographic operations on L using the key S1.

The rejection information L can contain for example the identifier (e.g.LockID) of the lock to which the rejection list relates, and a list ofthe KeyIDs to be locked. Further, a unique counter for the rejectionlist can be included, which indicates the ordinal number of the presentrejection list for the lock. A corresponding counter can then beimplemented in the lock in order to be able to check the validity of thecurrent rejection information.

Lock Opening Using a Handheld Scanner or a Cellular Phone

A lock is opened after a token has authenticated itself by communicatinga valid access authorization. This process is illustrated in the flowdiagram 400 in FIG. 4.

The token (handheld scanner 68 or cellular phone 61) has received forexample the following data from the key server: an access authorizationB and first check information V, a third key H3 and an authenticationvalue A, which comprises a combination—encrypted using S1—of at least H4and the KeyID of the access authorization B. In the case of asymmetrical encryption, the initialization vector IV of a CBC mode ofthe encryption may likewise have been received.

The process 400 of opening a lock then proceeds as illustrated asfollows (cf. FIG. 4).

In a step 401, firstly a Bluetooth connection between token 61, 68 andlock (of the parcel box 69) is set up, preferably using the MAC addressof the lock that is known to the token 61, 68, in order to avoidBluetooth pairing.

In a step 402, the token 61, 68 authenticates itself vis-à-vis the lockon the basis of the key H3. For this purpose, at least the information Ais communicated to the lock, from which information the lock can obtainthe key H4 using its key S2. On the basis of H3 and H4, the token 61, 68and the lock can then perform an authentication protocol known to theperson skilled in the art, for example a challenge-response method, inwhich the token 61, 68 applies the key H3 to a challenge (and possiblyfurther information) received from the lock and transmits that as aresponse to the lock, which can then in turn check the response on thebasis of the key H4 in order to determine the authenticity of the token61, 68.

After authentication of the token 61, 68 has been performed, or in aprocess combined with said authentication, the token 61, 68 furthercommunicates the information B and V to the lock.

In a step 403, the lock can then check the authenticity and integrity ofB and V vis-à-vis the key server 60, that is to say determine whether Band V originate from the key server and have not been altered. The lockuses the key S₂ for this purpose. In the case of a successful check, theaccess authorization parameters of B are checked against referenceinformation present in the lock, in order to determine whether the lockcan be opened on the basis of B.

In particular, in this case—depending on the presence of the respectiveaccess authorization parameters in the access authorizationinformation—the following can be checked, wherein the order of thechecks can be arbitrary and they can already be terminated in the eventof a condition not being met, or the process can jump to step 404, inorder to save time and/or power:

-   -   Whether the KeyID (decrypted from A) corresponds to the KeyID of        the access authorization.    -   Whether the access authorization is still valid from a temporal        standpoint (by comparison with a clock of the lock),    -   Whether the access authorization is not in the rejection list        for the lock.    -   Whether the LockID of the access authorization matches the        LockID of the lock.    -   What extent of access is permitted by the “Permissions”.    -   MaxUses is coordinated against the internal counter of the lock        and the counter is correspondingly incremented.

In step 404, a feedback indication is then signaled to the token 61, 68(e.g. OK, ERROR, WARNING), and, given a positive result of all thechecks performed, preparations are made for the lock opening.

The key H₃ was issued to the token 61, 68 for example during aninitialization phase (particularly in the case of the token 61, forexample an initialization of an app on the cellular phone 61) or wastransferred as group key H₃ (particularly in the case of the token 68).The corresponding or identical key H₄ is communicated to the lock inencrypted form. As a result, the lock need not store all keys H₄ of alldevices and can be used extremely flexibly and offline. Further, theKeyID of the access authorization is encrypted together with the key H₄.The key of the token is thus linked to the current access authorizationof the lock. The challenge-response method is used in order to protectthe protocol against so-called “replay attacks”.

Lock Opening Using an NFC Tag

A lock is opened after a token 62, 74 has authenticated itself vis-à-visthe lock (of a parcel box 69) by communicating a valid accessauthorization.

This process is illustrated in the flow diagram 500 in FIG. 5.

The token 62, 74 has for example once again received the information B,V, A and H3, and if appropriate IV, and stores this information,wherein, in the case of an ILA token, V is based on cryptographicoperations on at least B with the key S1 and, in the case of a GLAtoken, V is based on cryptographic operations on at least B with the keyST1. In a similar manner, in the case of an ILA token, A is based on anencryption of the combination of at least H4 and the KeyID of B with S1and, in the case of a GLA token, A is based on an encryption of acombination of at least H4 and the KeyID of B with ST1. In the case ofILA tokens and GLA tokens, the key H3 (and its partner H4) can be chosendifferently for example for each token. In contrast to the tokens 61,68, in the case of the tokens 62, 74, the information B, V, A and H3possibly has greater longevity since the outlay for writing thisinformation is costly and is preferably implemented only once, inparticular during the production of the tags 62, 74 or in the context ofdelivery or start-up.

Depending on the architecture of the token 62, 74, the third key H3(which can also be referred to as device key) can be stored in a memoryof the token, said memory not being accessible externally, and can beaccessible only internally, for example for a processor of the token 62,74, while the authentication information A is stored for example in amemory area that can be read by a reader (e.g. an NFC reader inparticular of the lock). B and V can be contained in a memory area thatis enabled for reading for example only if a mutual authentication hastaken place between the reader/lock and the token 62, 74.

The process 500 of opening a lock then proceeds as illustrated in FIG.5. In a step 501, an initialization of the NFC communication betweentoken 62, 74 and lock takes place.

In step 502, a mutual authentication takes place between token 62, 74and lock on the basis of the keys H3 and H4. For this purpose, the lockfor example firstly reads out the information A from the token 62, 74and obtains the key H4 therefrom by decryption using the key S2 or thekey ST2. Which key S2 or ST2 has to be used by the lock can beidentified by the lock for example on the basis of the LockID, which forexample is likewise read out from the token 62, 74 (for example as partof A or separately therefrom), for example on the basis of predefinedbit positions indicating whether an ILA token (→use of S2 necessary) ora GLA token (→use of ST2 necessary) is involved. Insofar as necessarydepending on the type of encryption, an initialization vector IV canalso be read out from the token 62, 74, for example as part of A orseparately therefrom. On the basis of H3 (token) and H4 (lock), anauthentication protocol is then performed, for example the DESFireauthentication protocol or any other authentication protocol, which canbe based for example on a challenge-response method. It may also sufficehere, for example, for the lock to authenticate itself vis-à-vis thetoken 62, 74, for example to convert a challenge supplied by the tokeninto a response using its key H4, said response being counterchecked inthe token on the basis of H3.

In the case of successful authentication, the token 62, 74 can enablethe lock (or the reader thereof) for example to read out the informationB and V.

The authenticity and integrity of B and V are then checked in step 503analogously to the description given with regard to step 403 in FIG. 4,but V is checked either on the basis of S2 (in the case of ILA tokens)or on the basis of ST2 (in the case of GLA tokens). Which key S2/ST2 isintended to be used can be decided on the basis of the structure of theLockID contained in the token, as has already been explained.

With regard, too, to the check of the access authorization parameterscontained in B, reference can be made to the description concerning step403 in FIG. 4, with the difference that the LockID contained in B iscompared either with the LockID of the lock (in the case of ILA tokens)or with the GroupID of the lock (in the case of GLA tokens).

The lock is opened if B and V have been found to be authentic and tohave integrity, the check of the access authorization parameters inrelation to their reference variables present in the lock has proceededpositively and the permissions indicate that opening of at least onedoor is permissible.

Communication of the Rejection List

In the communication of the rejection list, the token need notauthenticate itself, for example. A reply attack cannot be performed onaccount of the counter (Counter) contained in the rejection list. Thedistribution of the rejection lists among the locks can preferably beperformed by the handheld scanners 68 and the cellular phone 61;however, GLA tokens 74 can also be used for this purpose, which GLAtokens are specifically reprogrammed for this case, such that they caninclude and communicate rejection lists.

The process 600 for communicating the rejection list by means of ILAtokens (e.g. handheld scanner 68, cellular phone 61 and tag 62) isdescribed below. In this case, the ILA token receives for example thefollowing information from the key server: rejection information L(which contains the rejection list) and fourth check information V_(L),which is generated for example by cryptographic operations beingperformed on at least L using S₁ (ILA token) or S_(T1) (GLA token).

The process 600 then proceeds as follows. In step 601, the token 61, 68,74, after a Bluetooth or NFC connection has been set up, communicatesthe rejection information L and the validation feature V_(L). In step602, the lock checks the authenticity of L on the basis of V_(L) and thekey S₂ or S_(T2), which are in turn selected on the basis of thestructure of the LockID in L. For example the contents of L can then bechecked, that is to say e.g. whether the LockID matches the LockID ofthe lock, and/or whether the value of Counter is greater than the valuemaintained in the lock for the rejection lists. If this is the case, thenew rejection list from L is accepted in the lock (by replacement of theold rejection list) and the value for the rejection lists in the lock isset to the value of Counter from L. In step 603, a feedback indicationis then signaled to the token (OK, ERROR, WARNING) (step 603).

The value of Counter ensures that the rejection list cannot be replacedby an old rejection list. Since the rejection list—when it isgenerated—is complete, the key can replace all previous KeyIDs with thecurrent KeyIDs. In this case, in particular KeyIDs of accessauthorizations that are no longer valid are removed from the rejectionlist in order to keep the latter small.

Update of Group Keys

The key S2 that is responsible for the individual access remainsconstant for example during the complete life cycle of the lock.However, the key ST2 that is responsible for the group access possiblyneeds to be exchanged once or a number of times (this can occur, forexample, if a parcel box is moved to a different delivery area). Forthis reason, the changeable key ST2 is protected according to theinvention by the invariable—and therefore more secure—key S2.

By way of example, handheld scanner 68 and cellular phone 61 areintended to be able to exchange the key ST2 (or, if appropriate, aplurality of keys ST2 present on the lock). For this purpose, the keyserver 60 creates group key information comprising, for example, one ormore components from the following: a LockID, that is to say the ID ofthe lock to which the update relates, an update_counter as uniquecounter for the update, and one or more entries, that is to say thegroup key list with the tuples (GroupID, ST2).

The token 61, 68 then receives from the key server 60 for example apackaged key value W, which encrypts at least the new group key(s) ST2and respective new GroupIDs using the individual key S1 of the lock (orfor example the entire group key information). Thus, the new key ST2 isnot present in plain text on the handheld scanner 68 or cellular phone61 and can be decrypted only by the respective lock. Further, the keyserver 60 also creates a validation value VW, which is generated forexample by cryptographic operations on at least W using the first keyS1. The cryptographic operations can in turn constitute for example anMAC function or a digital signature using S1.

The communication process 700 illustrated in FIG. 7 then proceeds asfollows. In step 701, a token 68 communicates W and VW to the lock. Step702 then involves evaluating the check information VW in order todetermine the authenticity and integrity of W and VW using the key S2.In the event of a positive result, the group key list can be decryptedusing the key S2 and further checks can be performed to ascertainwhether this group key list is permitted to be accepted in the lock,e.g. on the basis of a check whether the LockID from the group keyinformation (obtained by decryption of W) matches the LockID of thelock, and/or whether the value update_counter from the group keyinformation is greater than the corresponding value of theupdate-counter for the current group key(s) in the lock. If the checksare successful, the current group key(s) ST2 and the respective GroupIDare replaced by the new values from the group key list and theupdate_counter in the lock is replaced by the value of theupdate_counter from the group key information. Step 703 then involvessignaling the feedback indication to the token (OK/NOK).

In this case, the update_counter in turn prevents replay attacks inwhich the attacker might attempt to position one or more old groupkey(s) in the lock. The LockID in the group key information ensures thatthe update comes from key server 60 and was created for the concretelock. A further important process step, which is not presentedexplicitly here, is that the key server 60 receives the returninformation (for example from the token 68) as to whether or not the newgroup key(s) were stored in the lock. This information is necessary inorder that the key server can generate in the future usable accessauthorizations for GLA tokens.

Order of the Operations

FIG. 11 shows an exemplary flow diagram 1100 which illustrates thepossible order of operations in a lock according to the invention. Whatoperations are generally intended to be performed by the lock can becommunicated to the lock from the token for example by means of one ormore commands. In this regard, it is possible, for example, to perform aplurality of operations in a communication session, for example a groupkey update, an installation of a new rejection list and a check ofaccess authorization in order to bring about opening of the door.Depending on the desired operation, one or more of the above-describedvalues B, V, A, W, V_(W), L, V_(L) illustrated in FIG. 1 are thentransmitted from the token to the lock.

After the Start 1101, either one or more group keys can be updated onthe lock (step 1102), a new rejection list can be installed in the lock(step 1103), a token authentication (with the aid of the key H4) can beperformed (step 1104) or a firmware update of the lock software (step1110) can be performed. As illustrated in FIG. 11, some steps here, e.g.steps 1102, 1103 and 1104, can also be performed one after another. FIG.11 should be understood such that each operation is optional, inprinciple, that is to say that for example only step 1102, step 1104 andstep 1109 can be performed if so desired. Further, the processing cantherefore also be ended after each operation, for example after step1102.

After successful token authentication 1104, either the electronics canbe reset (Reset in step 1109), the status of the lock can beinterrogated (step 1108), or a check of an access authorization Bobtained can be performed (step 1105). After both steps, a reset canoptionally also be performed (step 1109). If the access authorization Bprovides authorization for example for opening one or more doors of theparcel box 69, said door(s) is/are opened (step 1106). Afterinterrogation of the status (step 1108), too, optionally—given thepresence of authorization—the door can be opened (step 1106).

As is evident from FIG. 11, no opening of the door takes place after thereset (step 1109) or the firmware update (step 1110). Further, theinstallation of the rejection list (step 1102) and the update of the oneor the plurality of group keys (step 1102) always takes place before theaccess authorization check since the rejection list or the group key(s)may be required in this check.

An explanation is given below, for the exemplary embodiment of theaccess control system in FIG. 3, of how the assignment of the accessauthorizations and keys to the devices of the deliverers 70 and users 63and to the parcel boxes 69 is performed.

Delivery Process Using Handheld Scanner

The assignment server 69 performs the so-called area cutting, that is tosay dynamically defines delivery areas on the basis of the daily amountof mail and the available delivery personnel. In the context of saidarea cutting, the parcel boxes 69 belonging to a respective area areidentified on the basis of their parcel box address (or the addresses oftheir users). It is assumed that this assignment is performeddynamically, that is to say that beforehand no statement can be maderegarding which parcel boxes 69 will belong to which area.

The master data—described in even greater detail below—of the parcelboxes, which comprise inter alia the access authorizations to therespective parcel boxes and the key H3, and for example also the addressdata of the parcel box users are then distributed regionally in aplurality of intermediate steps, the intermediate steps being irrelevantto the following considerations. Ultimately, in general one, but ifappropriate also a plurality of areas are assigned to a decentralizedunit (e.g. a computer or a server) from which the “refueling” of thehandheld scanners 68 with the master data (and the address data of theparcel box users) for a chosen area is performed. The mail data (desireddata) are likewise transferred to the handheld scanner from thedecentralized unit in the context of the refueling.

The assignment of the handheld scanners to an area is performeddynamically and downstream of the area cutting.

The above process can be summarized as follows:

-   1. Define delivery areas (for example primarily on the basis of the    delivery/collection addresses of mail, the amount of mail and the    available delivery personnel)-   2. Distribute master data of the parcel boxes (and address data of    the parcel box users) assigned to the delivery areas among the    decentralized units-   3. Register deliverer 70 with the handheld scanner 68 at the    decentralized unit-   4. Deliverer 70 collects parcels for his/her area-   5. Deliverer 70 delivers the parcels for the parcel boxes 69 in    his/her area

If the access authorization is created for a handheld scanner 68, 1 day,for example, is provided as the period of validity. Further, a parameterthat limits the maximum number of uses of said access authorization isprovided, for example.

Access Authorizations for Handheld Scanners

The key server 60 generates access authorizations B for each lock (of aparcel box 69) together with a respective corresponding validationfeature V. Each deliverer 70 is intended to receive, together with thevalidation features V, access authorizations B for those parcel boxes 69(i.e. their locks) to which said deliverer is intended to deliver on theday, that is to say those of his/her delivery area.

FIG. 8 gives an overview of one exemplary process 800 of delivery withaccess authorizations. The sequence is as follows:

The key server 60 generates in step 801 every day, for example, theaccess authorizations B_(i) (wherein the index i=1 . . . N denotes therespective lock from a total of N locks), which are validated in eachcase with a corresponding lock key S_(1,i) (which once again togetherwith a key S_(2,i) stored in the lock forms a symmetrical orasymmetrical key). For this purpose, pairs (B_(i), V_(i)) arecalculated, wherein B_(i) is an access authorization and V_(i) is theassociated first check information already described here which isgenerated using the key S_(1,i). Further, the key server generates e.g.a device key H₄ (which together with a further key H₃ forms asymmetrical or asymmetrical key pair), with which a handheld scanner 68can authenticate itself vis-à-vis a lock of a parcel box 69, andencrypts the latter (and for example one or more further parameters,e.g. the KeyID) with the respective lock key S_(1,i), in order togenerate an authorization feature A_(i).

In step 802, all the access authorizations are transmitted e.g. daily(for example in accordance with the generation frequency of the keyserver 60) from the key server 60 to the provision server 66. Inparticular, the following master data are transmitted per lock: accessauthorization B_(i), validation V_(i), and authorization feature A_(i).The LockID can also optionally be contained therein. In the provisionserver, the master data can be augmented by further information, forexample the MAC address of the lock, and/or address information of theparcel box and/or address information of the users of the respectiveparcel boxes, to give just a few examples. However, such information mayalso already have been added to the master data at the key server 60. Asalready mentioned, the MAC address is the Medium Access Control addressof the lock, by means of which the lock can be addressed directly forexample without the need for Bluetooth pairing. Only the transmission ofthe plurality of master data sets {Bi, Vi, Ai} and of the lock H₃ to theprovision server is illustrated in step 802 in FIG. 8, for reasons ofclarity.

In step 803, the area cutting takes place in the assignment server 67.

In step 804, each of the L decentralized units 71-1 . . . 71-L receivesall the access authorizations for the areas assigned to it on this day.This is constituted symbolically by the notation {B_(i), V_(i),A_(i)}_(l) in step 804, wherein the index l runs from 1 to L and thenotation {B_(i), V_(i), A_(i)}_(l) denotes the master data of all theparcel boxes in the area l (wherein once again for reasons of claritythe further master data elements LockID, address information and MACaddress are not illustrated and it is assumed that each decentralizedunit obtains only the master data of the parcel boxes of a respectivedelivery area, although this is not mandatory). A decentralized unitthen “refuels” one (or else a plurality of) handheld scanner(s) within adelivery area l with the master data {B_(i), V_(i), A_(i)}_(l) of theparcel boxes of this delivery area.

A handheld scanner 68-2 (this is, for example, a handheld scannerassigned to the second decentralized unit 71-2 and the delivery area l=2thereof) obtains, in the context of the refueling, the master data{B_(i), V_(i), A_(i)}₂ of the parcel boxes for the area l=2 to which itwas allocated (step 805). This can be performed for example by means ofwired communication (e.g. via a docking station which is connected tothe decentralized unit 71-2 and into which the handheld scanner 68-2 isplaced) and/or wireless communication (e.g. by means of WLAN or GRPS).

In step 806, the handheld scanner 68-2—for the purpose of opening aparcel box 69-k in its area, selected by way of example—with the aid ofthe MAC address of the lock of said parcel box 69-k determines aBluetooth connection to the lock and transmits the access authorizationB_(k), the validation information V_(k), the authorization feature Akand further validation information, as described with regard to FIG. 4,to the lock (step 806).

In step 807, the lock validates the authorization on the basis of V_(k)and S_(2,k) (analogously to the description of FIG. 4) and opens in thecase of correct authorization. Step 808, finally, involves sending acorresponding status message and for example the battery status back tothe handheld scanner.

As is evident from the explanations above, the authentication of thehandheld scanner 68-2 vis-à-vis the lock of the parcel box 69-k isperformed with the aid of the key H₃. No individual device key H₃ isassigned to the handheld scanner 68-2. Instead, a group key H₃ isgenerated, wherein all the handheld scanners 68 form the group in thisregard and use the same key H₃. In the context of the refueling, thegroup key H₃ is transmitted to a handheld scanner. An accessauthorization for this “group key” H₃ is then issued per lock, saidaccess authorization effectively being valid for all the handheldscanners. The key H₃ is transmitted for example from the key server 60to the provision server (step 802), and then to all the decentralizedunits (step 804), preferably via secure connections, in order to preventit from being spied out. By way of example, the transmission from thekey server 60 to the provision server 66 and/or to the decentralizedunit 71-2 is performed in an encrypted manner by means of SSL/TLS. Theconnection between decentralized unit 71-2 and handheld scanner 68-2 inthe refueling should likewise be correspondingly safeguarded.

Blocking of Handheld Scanners

The access authorizations with which the handheld scanners 68 operateare in each case issued anew for example for 1 day. If it is necessaryto block a handheld scanner 68, for example after loss of the device, itis necessary to create a rejection list for each lock to which thehandheld scanner 68 had access. The rejection list would then have to bebrought by means of a kind of “token” to the corresponding locks andloaded therein, but this means a considerable outlay.

This problem is adequately solved by virtue of the fact that the accessauthorizations B are issued for as narrow a time window as possible(e.g. temporal validity only 1 day) and/or for the fewest possible uses(e.g. a maximum of 3 uses per day). Further or alternatively, thehandheld scanner software can restrict the use of the accessauthorizations as much as possible, for example by the opening of a lockof a parcel box 69 being offered only if a corresponding piece of mailis also present for said parcel box 69 (this can be achieved for exampleby coordination of the address data (e.g. zip code, street and housenumber, contained in coded form in the so-called “routing code”) of mailwith the address data (which are coded for example in a similar form tothat in the case of the routing code)—contained in the master data—ofparcel boxes 69 and/or the addresses (which are coded for example in asimilar form to the case of the routing code) of the users 63 of parcelboxes 69 (by means of which a parcel box 69 can then in turn be uniquelyassigned). These addresses are transmitted to the handheld scannerparticularly for this purpose). In particular, the situation should alsobe prevented in which a “blocked” handheld scanner, in particular afterloss, on subsequent days is connected to a decentralized unit andrefueled.

As a result of this procedure, a dedicated blocking of handheld scanners68 by means of rejection lists is not absolutely necessary. Inparticular, the rejection lists that serve for blocking other lost ILAand/or GLA tokens (e.g. cellular phones 61, deliverer tags 74 and usertags 62) then remain smaller, which is advantageous since they have tobe stored by the lock. The advantages afforded by rejection lists forthe use of cellular phones 61 and, if appropriate, NFC tags 74, 62 (onwhich the access authorizations have a longer temporal validity than theaccess authorizations present on the handheld scanners 68) do not existfor the handheld scanners in the case of the procedure described above.

Transmission of the Rejection Lists

As is evident from FIG. 11, the handheld scanner 68 does not have toauthenticate itself vis-à-vis the lock in the transmission of arejection list (step 1103). Accordingly, the limitations that occur withthe use of access authorizations (in particular with regard toauthentication) do not exist. The rejection lists can be augmented forexample per lock as master data in the provision server 66 and can betransmitted to the handheld scanners 68 in refueling. This may have theeffect that the opening of a lock takes longer, since, in accordancewith FIG. 11, the communication of the rejection list to the lock (step1103) takes place before the authorization check (step 1105). Since,moreover, the key server 60 has no information about the successfulcommunication of a rejection list to a lock, the current rejection listwould be distributed and transmitted in the event of each access to thelock.

The following procedure appears to be advantageous: blockings areperformed by a main user, a co-user or on behalf thereof. The rejectionlists thereupon generated by the key server 60 are then transmitted tothe lock of the parcel box 69 by the corresponding cellular phone. Viathe provision server 66, the handheld scanner 68 notifies the key server60 of the successful or unsuccessful transmission of the rejection listto the lock.

Keys for Delivery Personnel with NFC Tokens

As described in sections, there is a difference between tokens of theILA type (handheld scanner 68, cellular phone 61, NFC tokens 62 ofparcel box users 63) and of the GLA type (NFC tokens 74 of deliverypersonnel 70). There are various reasons for this differentiation, whichare mentioned below:

-   -   1. NFC tokens cannot be equipped with access authorizations        without a certain outlay.    -   2. NFC tokens of delivery personnel should be able to open all        locks in a specific, in particular static, area.    -   3. NFC tokens are unable to store many access authorizations.

Requirement (2) makes it clear that delivery personnel 70 should beequipped with an NFC token 74 that is valid in a specific area. For thispurpose, a group key S_(T2) that can open a group of locks (and thusparcel boxes 69) is stored on the NFC token 74. As is evident fromrequirement (3), it is not possible to equip delivery personnel 70 withindividual access authorizations for all locks in a specific area.

For this reason, the lock is equipped with two or possibly more(symmetrical or asymmetrical) keys: one key S₂ (“individual key”, with acorresponding symmetrical or asymmetrical key S₁) for interacting withILA tokens, and one or more keys S_(T2) (“group key”, with acorresponding symmetrical or asymmetrical key S_(T1)) for operationswith the GLA tokens of the delivery personnel 70. The main differencebetween these keys is that the first-mentioned key S₂ is unique for eachlock and the further key S_(T2) is shared by a plurality of locks.

While the unique key S₂ of the lock is applied during the productionprocess—and is invariable, in particular—the group key S_(T2) can bechanged dynamically (e.g. by a handheld scanner 68) during the operatingtime of the lock.

The exchangeable keys S_(T2) for GLA tokens are described below.

The key server 60 generates an access authorization and provides thelatter with validation information in accordance with the correspondinggroup keys S_(T1) of a respective delivery area. The device keys areapplied, together with an access authorization, to the NFC tokens of thedelivery personnel.

This is illustrated schematically in FIG. 9. Here the NFC tokens (Mpieces) 74-1 . . . 74-M are distributed to respective delivery personnel(e.g. via a server of token production 73), in order to be able to openlocks in N areas (area 1 . . . area N). Correspondingly, via the serverof lock production 72 (or later by means of the update function forgroup keys), the group keys S_(T2,1) . . . S_(T2,N) are stored in thelocks of the parcel boxes of the respective areas 1 . . . N, that is tosay group keys S_(T2,1) are stored in the locks of the parcel boxes ofarea 1, etc.

It is assumed that an NFC token i requires access to all locks in adelivery area j. In this case, the token i requires the followinginformation (data): access authorizations B_(i); validation featureV_(i) of the delivery area j (formed by cryptographic operations on Biusing the group key S_(T1,j)); authentication value A_(i), which in turncomprises at least one combination—encrypted using S_(T1,j)—of at leastthe key H_(4,i) and the KeyID_(i) and for example further comprises theLockID_(j) that codes the group identifier of the area j. It then holdstrue that, in a delivery area j (j from 1 to N), any delivery personnelhaving access authorization for the area j can open every lock using theNFC token of said delivery personnel.

Delivery areas are static in their nature. In this case, requirement (1)must be taken into consideration, which states that it is technicallyand economically laborious to alter (update) the access authorizationstoo often. On the other hand, use should not be made of accessauthorizations which are valid forever, which constitutes an increasedsecurity risk. For this reason it is expedient to issue accessauthorizations for an extended but limited period of time, e.g. a fewmonths or years. After the period of validity has expired, all tokensmust be reprogrammed in order to obtain new access authorizations Bi.

Group Keys

In the system in FIG. 3 it may be provided, for example, that letterdeliverers use the NFC tags 74 for opening parcel boxes (for example fordelivering large-format letters), and that the NFC tags 74 are also usedby parcel deliverers at least at times (for example as an alternative tohandheld scanners 68). In this case, it should be taken intoconsideration that delivery areas for deliverers in ZB (standarddelivery, delivery bases) and ZSPL (combination delivery, that is to saydelivery of letters and parcels) can overlap.

Therefore, there is the possibility that a parcel box sometimes isopened using a tag that “belongs” to one specific delivery area, andsometimes is opened using a different tag that belongs to a differentdelivery area.

This is illustrated schematically in FIG. 10. In this case, a firstparcel box 110 is assigned only to a first delivery area 11 (ZB), and asecond parcel box 120 is assigned to a second delivery area 12 (ZSPL),while a third parcel box 130 is assigned both to the first delivery area11 and to the second delivery area 12.

This problem can be solved by virtue of the fact that those parcel boxeswhich are situated in an overlap area (e.g. parcel box 130 in FIG. 10)can obtain two group keys and then grant access for both tags (possiblyeven more than two, but for example a maximum of five).

Each delivery area (group) has a GroupID (group identifier). The groupkeys S_(T2) are then stored together with corresponding GroupIDs in thelock:

-   -   (GroupID₁, S_(T2,1)), (GroupID₂, S_(T2,2)), . . .

If the delivery base area ZB 11 has a GroupID GroupZB and the ZSPL 12has a GroupID GroupZSPL, and S_(T2,ZB) and S_(T2,ZSPL) are thecorresponding group keys, then the lock of the parcel box 110 has storedthe tuple (GroupZB, S_(T2,ZB)), the lock of the parcel box 120 hasstored the tuple (GroupZSPL, S_(T2,ZSPL)), and the lock of the parcelbox 130 has stored both tuples (GroupZB, S_(T2,ZB)) and (GroupZSPL,S_(T2,ZSPL)). Each of the locks further also has a respective individualkey S_(2,1), as has already been described above.

During the authentication phase, a token transmits the LockID, which isalso situated in the access authorization for the lock. The LockID givesthe lock an instruction (e.g. by means of a coding of predetermined bitpositions of the LockID) with regard to which key is intended to be usedfor the decryption and validation. The LockID indicates either theindividual key S₂ of the lock or one of potentially a plurality of groupkeys S_(T2) by virtue of the GroupID being correspondingly coded intothe LockID.

In the above example, a deliverer of ZB 11 can open the lock of theparcel box 130 by communicating GroupZB as part of the LockID. Equally,a deliverer of ZSPL 12 can open the lock of the parcel box 130 bycommunicating GroupZSPL as a part of the LockID. The lock has both keysand can react accordingly.

If a GLA token, e.g. from the area ZB 11, is lost, only the locks of theparcel boxes in the area ZB 11, in particular the parcel boxes 110 and130, have to receive a corresponding rejection list update. By contrast,the locks of the parcel boxes of ZSPL 12 do not have to be provided witha new rejection list.

Keys H and Access Authorizations of the NFC Token of the Owner

An explanation has already been given of how the key server 60 generatesthe access authorizations and keys for the handheld scanners 68 and howthese access authorizations are transmitted to the handheld scanners 68.The key server 60 also generates the keys and access authorizations forthe user 63 of the parcel box, in particular the owner thereof. The user63 of the parcel box always has an NFC token 62 available, for example.By way of example, the user 63 obtains two NFC tokens 62 for his/herparcel box 69 in the course of an order.

The opening of the lock of the parcel box 69 using an NFC token 62 thenproceeds as follows. The key server 60 generates the accessauthorization B for the NFC token 62, which is validated in each casewith a corresponding (lock-specific) key S₁. The key S₁ together with akey S₂ stored in the lock forms a symmetrical or asymmetrical key pair.A pair (B,V) is calculated as already described a number of times,wherein B constitutes an access authorization and V constitutes forexample an MAC or a digital signature for the authorization B using thekey S₁. An authentication feature A is also calculated, which comprisesa combination—encrypted using S1—of at least the key H4 and the KeyIDand for example further the LockID, wherein H₄ together with a key H₃forms a symmetrical or asymmetrical key pair and the key H₃ is stored inthe token. KeyID is an identifier of the access authorization and LockIDcodes the individual identifier of the lock. The authorization B and thefeatures V and A and the key H₃ are transferred to a programmingstation. The programming station writes the data B, V, A, H₃ to the NFCtoken(s) 62 of the user 63. For opening the parcel box 69, the NFC token62 determines a connection to the lock of the parcel box 69, authorizesitself vis-à-vis the lock and transmits the access authorization andvalidation features (cf. the description concerning FIG. 5). The lockvalidates the authorization with the aid of the validation features andopens in the case of sufficient authorization.

As exemplary embodiments of the present invention, the following arefurther intended to be disclosed:

Exemplary Embodiments 1-33

The embodiments defined in claims 1-33.

Exemplary Embodiment 34

A method for generating access authorization information (B, V), themethod comprising

-   -   generating first check information (V) by performing        cryptographic operations on one or more access authorization        parameters (B) using at least one first key (S₁, S_(T1)) of a        symmetrical or asymmetrical key pair,    -   generating access authorization information (B, V) comprising at        least the one or the plurality of access authorization        parameters (B) and the first check information (V), and    -   outputting the access authorization information (B, V) for        storage on an access authorization proving apparatus (3)        configured to communicate the access authorization information        (B, V) to at least one access control apparatus (4) in order to        enable the latter to decide whether access is permitted to be        granted on the basis of the communicated access authorization        information (B, V), wherein necessary conditions for granting        access are that first checking, using at least the communicated        access authorization parameters (B), the communicated first        check information (V) and a second key (S₂, S_(T2)) of the key        pair, said second key being stored in the access control        apparatus (4), whether the communicated first check        information (V) was generated by performing cryptographic        operations on access authorization parameters (B) corresponding        to the communicated access authorization parameters (B) using at        least the first key (S₁, S_(T1)) of the key pair, yields a        positive result and that it is determined that at least one        predefined set of the communicated access authorization        parameters (B), in view of respective pieces of reference        information present in the access control apparatus (4) at least        at the time of the first checking, respectively authorize for        access.

Exemplary Embodiment 35

The method according to exemplary embodiment 34, wherein the key pair isan asymmetrical key pair, wherein generating the first check information(V) comprises generating a digital signature by means of the accessauthorization parameters (B) using at least the first key of the keypair.

Exemplary Embodiment 36

The method according to exemplary embodiment 34, wherein the key pair isa symmetrical key pair, and wherein the first checking comprisesperforming the same cryptographic operations (KRYPT) as are used whengenerating the first check information (V), on the communicated accessauthorization parameters (B) using at least the second key (S₂, S_(T2))of the key pair for obtaining locally generated first check informationand comparing the communicated first check information (V) with thelocally generated first check information.

Exemplary Embodiment 37

The method according to exemplary embodiment 36, wherein thecryptographic operations serve for determining a message authenticationcode (MAC) as check information (V).

Exemplary Embodiment 38

The method according to any of exemplary embodiments 34-37, wherein theaccess control apparatus (4) constitutes an access control apparatus (4)from a plurality of access control apparatuses, wherein a second key(S₂) of a symmetrical or asymmetrical individual key pair is stored inthe access control apparatus (4), said second key being stored only onthe access control apparatus (4), but on none of the other accesscontrol apparatuses of the plurality of access control apparatuses, andwherein the first key (S, S_(T1)) of the key pair that is used whengenerating the first check information is the first key (S₁) of theindividual key pair.

Exemplary Embodiment 39

The method according to any of exemplary embodiments 34-37, wherein theaccess control apparatus (4) constitutes an access control apparatus (4)from a plurality of access control apparatuses,

wherein a second key (S₂) of a symmetrical or asymmetrical individualkey pair is stored in the access control apparatus (4), said second keybeing stored only on the access control apparatus (4), but on none ofthe other access control apparatuses of the plurality of access controlapparatuses,

wherein a second key (S_(T2)) of a symmetrical or asymmetrical group keypair is further stored in the access control apparatus (4), said secondkey being different than the second key of the individual key pair andbeing stored in all the access control apparatuses of a group of accesscontrol apparatuses from the plurality of access control apparatusesthat comprises the access control apparatus (4),

wherein the first key (S₁) of the key pair that is used when generatingthe first check information is either the first key (S₁, S_(T1)) of theindividual key pair or the first key (S_(T1)) of the group key pair.

Exemplary Embodiment 40

The method according to exemplary embodiment 39, wherein at least onesecond key (S_(T2)) of a symmetrical or asymmetrical further group keypair is further stored in the access control apparatus (4), said atleast one second key being different than the second key (S₂) of theindividual key pair and the second key (S_(T2)) of the group key pairand being stored in all the access control apparatuses of a furthergroup of access control apparatuses from the plurality of access controlapparatuses that comprises the access control apparatus (4), saidfurther group including, however, at least one or more other accesscontrol apparatuses in comparison with the group of access controlapparatuses, and wherein the second key (S₂, S_(T2)) of the key pairthat is used in the first checking is either the second key (S₂) of theindividual key pair, the second key (S_(T2)) of the group key pair orthe second key (S_(T2)) of the further group key pair.

Exemplary Embodiment 41

The method according to either of exemplary embodiments 39-40, whereinprovision is not made for changing the second key (S₂) of the individualkey pair in the access control apparatus (4), for erasing said secondkey or for exchanging it for another key, but wherein it is providedthat the second key (S_(T2)) of the group key pair can be changed orerased or exchanged for another key.

Exemplary Embodiment 42

The method according to any of exemplary embodiments 39-41, furthercomprising:

-   -   generating group key information (W) comprising at least one        second key (S_(T2))—encrypted with the first key (S₁) of the        individual key pair—of a new symmetrical or asymmetrical group        key pair for the same or an at least partly different group of        access control apparatuses from the plurality of access control        apparatuses,    -   outputting the group key information (W) for storage on the        access authorization proving apparatus (3), which is configured        to communicate the group key information at least to the access        control apparatus (4) in order to enable the latter to store in        the access control apparatus (4) the second key (S_(T2)) of the        new group key pair, which second key is obtainable by decryption        of the communicated encrypted second key (S_(T2)) of the new        group key pair using at least the second key (S₂) of the        individual key pair, such that the second key (S₂, S_(T2)) of        the key pair that is used in the first checking is either the        second key (S₂) of the individual key pair or the second key        (S_(T2)) of the new group key pair,

Exemplary Embodiment 43

The method according to exemplary embodiment 42, further comprising:

-   -   generating second check information (V_(W)), and    -   outputting the second check information (V_(W)) for storage on        the access authorization proving apparatus (3), which is        configured to communicate the second check information (V_(W))        at least to the access control apparatus (4), and wherein the        second key of the new group key pair, which second key is        obtainable by the decryption, is stored in the access control        apparatus (4) only under the precondition that, in the case of a        check based at least on the communicated second check        information (V_(W)), the second key (S₂) of the individual key        pair and the communicated group key information (W), it is        determined that the communicated second check information        (V_(W)) was generated by performing cryptographic operations on        the group key information corresponding to the communicated        group key information (W) using at least the first key (S₁) of        the individual key pair.

Exemplary Embodiment 44

The method according to exemplary embodiment 43, wherein the group keyinformation (W) further comprises a counter (update_counter) that isincremented with each new group key pair, and wherein the second key(S_(T2)) of the new group key pair that is obtained by the decrypting isstored in the access control apparatus (4) only under the furtherprecondition that a value of a counter (update_counter) comprised by thegroup key information is greater than a value of a counter provided inthe access control apparatus (4), and wherein, in or after the storageof the second key (S_(T2)) of the new group key pair in the accesscontrol apparatus (4), the value of the counter in the access controlapparatus (4) is updated to the value of the counter (update_counter)comprised by the group key information.

Exemplary Embodiment 45

The method according to either of exemplary embodiments 43-44, whereinthe group key information further comprises an individual identifier(LockID) of the access control apparatus (4), and wherein the second key(S_(T2)) of the new group key pair that is obtained by the decrypting isstored in the access control apparatus (4) only under the furtherprecondition that an individual identifier (LockID) of the accesscontrol apparatus (4) that is stored in the access control apparatus (4)corresponds to the individual identifier (LockID) comprised in the groupkey information.

Exemplary Embodiment 46

The method according to any of exemplary embodiments 42-45, wherein thegroup key information further comprises a group identifier (GroupID)associated with the new group key pair, said group identifier beingcommon to all the access control apparatuses of the group of accesscontrol apparatuses for which the new group key pair is intended, andwherein the group identifier (GroupID) obtained by the decrypting isstored in the access control apparatus (4).

Exemplary Embodiment 47

The method according to any of exemplary embodiments 34-46, wherein oneof the access authorization parameters is an identifier (LockID) foronly one access control apparatus (4) or a group of access controlapparatuses, and wherein it is determined in the access controlapparatus (4) that the identifier authorizes for access if theidentifier (LockID) corresponds to an individual identifier (LockID) ofthe access control apparatus (4) that is stored in the access controlapparatus (4) and/or a group identifier (GroupID) for a group of accesscontrol apparatuses to which the access control apparatus (4) belongs.

Exemplary Embodiment 48

The method according to any of exemplary embodiments 39-46, wherein oneof the access authorization parameters is an identifier (LockID) onlyfor the access control apparatus (4) or a group of access controlapparatuses which includes the access control apparatus (4), wherein itis determined in the access control apparatus (4) that the identifier(LockID) authorizes for access if the identifier corresponds to anindividual identifier (LockID) of the access control apparatus (4) thatis stored in the access control apparatus (4) and/or a group identifier(GroupID) for a group of access control apparatuses to which the accesscontrol apparatus (4) belongs, wherein the first check information (V)of access authorization information which has an identifier (LockID)only for the access control apparatus (4) is generated by performingcryptographic operations on the access authorization parameters (B)using at least the first key (S₁) of the individual key pair, andwherein the first check information (V) of access authorizationinformation which has an identifier (LockID) for the group of accesscontrol apparatuses is generated by performing cryptographic operationson the access authorization parameters using at least the first key(S_(T1)) of the group key pair.

Exemplary Embodiment 49

The method according to exemplary embodiment 48, wherein on the basis ofthe identifier (LockID), in particular on the basis of a predefinedformat of the identifier, in the access control apparatus (4), it ispossible to identify whether an identifier for only one access controlapparatus (4) or an identifier for a group of access control apparatusesis involved, such that either the second key (S₂) of the individual keypair or the second key (S_(T2)) of the group key pair can be selected ineach case appropriately for the first checking.

Exemplary Embodiment 50

The method according to any of exemplary embodiments 34-49, wherein oneof the access authorization parameters (B) is an identifier (KeyID) forthe access authorization information (B, V) or for the accessauthorization proving apparatus (3) which communicates the accessauthorization information (B, V) to the access control apparatus (4),and wherein it is determined that the identifier (KeyID) authorizes foraccess if the identifier is not contained in a rejection list (RL)stored in the access control apparatus (4).

Exemplary Embodiment 51

The method according to any of exemplary embodiments 34-50, furthercomprising:

-   -   encrypting a fourth key (H₄) using at least the first key (S₁,        S_(T1)) of the key pair, wherein the fourth key (H₄) can be used        in an authentication of the access control apparatus (4)        vis-à-vis the access authorization proving apparatus (3), which        communicates the access authorization information to the access        control apparatus (4), or in the checking of the authenticity        and/or integrity of information communicated to the access        control apparatus (4),    -   generating information (A) comprising at least the encrypted        fourth key (H₄), and    -   outputting the information (A) for storage on the access        authorization proving apparatus (3), which is configured to        communicate the information (A) at least to the access control        apparatus (4) in order to enable the latter to decrypt the        encrypted fourth key using at least the second key (S₂, S_(T2))        of the key pair and to use said fourth key.

Exemplary Embodiment 52

The method according to any of exemplary embodiments 34-50, furthercomprising:

-   -   encrypting a combination of a fourth key (H₄) and an identifier        (KeyID) for the access authorization information (B, V) or for        the access authorization proving apparatus (3), which        communicates the access authorization information (B, V) to the        access control apparatus (4), using at least the first key (S₁,        S_(T1)) of the key pair, wherein the fourth key (H₄) can be used        in an authentication of the access control apparatus (4)        vis-à-vis an access authorization proving apparatus (3), which        communicates the access authorization information (B, V) to the        access control apparatus, or in the checking of the authenticity        and/or integrity of information communicated to the access        control apparatus (4),    -   generating information (A) comprising at least the encrypted        combination, and    -   outputting the information (A) for storage on the access        authorization proving apparatus (3), which is configured to        communicate the information (A) at least to the access control        apparatus (4) in order to enable the latter to decrypt the        encrypted combination using at least the second key (S₂, S_(T2))        of the key pair, in order to obtain the fourth key (H₄) and the        identifier,

wherein the identifier (KeyID) further constitutes one of the accessauthorization parameters (B), and wherein it is determined in the accesscontrol apparatus (4) that the identifier (KeyID) contained in thecommunicated access authorization information (B, V) authorizes foraccess if the identifier (KeyID) contained in the communicated accessauthorization information (B, V) corresponds to the identifier (KeyID)obtained by decrypting the encrypted combination.

Exemplary Embodiment 53

The method according to any of exemplary embodiments 34-50, furthercomprising:

-   -   encrypting a combination of a fourth key (H₄) and an identifier        (KeyID) for the access authorization information (B, V) or for        the access authorization proving apparatus (3), which        communicates the access authorization information (B, V) to the        access control apparatus (4), using at least the first key (S₁,        S_(T1)) of the key pair, wherein the fourth key (H₄) can be used        in an authentication of the access control apparatus (4)        vis-à-vis an access authorization proving apparatus (3), which        communicates the access authorization information (B,V) to the        access control apparatus (4), or in the checking of the        authenticity and/or integrity of information communicated to the        access control apparatus (4),    -   generating information (A) comprising at least the encrypted        combination, and    -   outputting the information (A) for storage on the access        authorization proving apparatus (3), which is configured to        communicate the information (A) at least to the access control        apparatus (4) in order to enable the latter to decrypt the        encrypted combination using at least the second key (S₂, S_(T2))        of the key pair, in order to obtain the fourth key (H₄) and the        identifier,

wherein the identifier (KeyID) further constitutes one of the accessauthorization parameters (B), and wherein it is determined in the accesscontrol apparatus (4) that the identifier (KeyID) contained in thecommunicated access authorization information (B, V) authorizes foraccess if the identifier (KeyID) contained in the communicated accessauthorization information (B, V) corresponds to the identifier (KeyID)obtained by decrypting the encrypted combination and the identifier(KeyID) is not contained in a rejection list (RL) stored in the accesscontrol apparatus (4).

Exemplary Embodiment 54

The method according to either of exemplary embodiments 52-53, whereinthe access authorization information (B, V) communicated to the accesscontrol apparatus (4) is stored in identical form on at least two accessauthorization proving apparatuses (3), wherein the identical accessauthorization information (B, V) stored on the at least two accessauthorization proving apparatuses (3) in each case has the sameidentifier (KeyID) for the access authorization information (B, V) andsaid access authorization information (B, V) is associated in each casewith the same fourth key (H₄).

Exemplary Embodiment 55

The method according to exemplary embodiment 54, wherein the accessauthorization information (B, V) communicated to the access controlapparatus (4) has a limited temporal validity and/or has only a limitedpermissible number of access processes within its period of validityand/or can be or is only communicated to the access control apparatus(4) by the access authorization proving apparatus (3) if it isdetermined at the access authorization proving apparatus (3) that thereis a need for the access to the access control apparatus (4).

Exemplary Embodiment 56

The method according to any of exemplary embodiments 51-55, wherein thefourth key (H₄) together with a third key (H₃) forms a symmetrical orasymmetrical key pair, the method further comprising:

-   -   outputting the third key (H₃) to the access authorization        proving apparatus (3) in order to enable the access        authorization proving apparatus (3), by performing cryptographic        operations on a challenge (R) generated by the access apparatus,        the access authorization parameters (B) and the first check        information (V) using at least the third key (H₃), to generate        third check information (V′) and to communicate it to the access        control apparatus (4), wherein a further necessary condition for        granting access is a second checking, performed on the access        control apparatus, using at least the challenge (R), the        communicated access authorization parameters (B), the        communicated first check information (V), the communicated third        check information (V′) and the fourth key (H₄), reveals that the        communicated third check information (V′) was generated by        performing cryptographic operations on information corresponding        to the challenge (R), the communicated access authorization        parameters (B) and the communicated first check information (V),        using at least the third key (H₃).

Exemplary Embodiment 57

The method according to any of exemplary embodiments 51-55, wherein theaccess control apparatus (4) can authenticate itself vis-à-vis theaccess authorization proving apparatus (3) using at least the fourth key(H₄), wherein the access authorization information (B, V) iscommunicated from the access authorization proving apparatus (3) to theaccess control apparatus (4) only in the event of successfulauthentication.

Exemplary Embodiment 58

The method according to either of exemplary embodiments 50 and 53,further comprising:

-   -   generating fourth check information (V_(L)) by performing        cryptographic operations on rejection information (L) using at        least the first key (S1, S_(T1)) of the key pair, wherein the        rejection information (L) comprises at least one new rejection        list (RL) with identifiers (KeyIDs) for access authorization        information (B, V) to be rejected or for access authorization        proving apparatuses (3) that are to reject access authorization        information (B, V) at the access control apparatus (4), and    -   outputting the rejection information (L) and the fourth check        information (V_(L)) for storage on the access authorization        proving apparatus (3), which is configured to communicate the        rejection information (L) and the fourth check information        (V_(L)) at least to the access control apparatus (4), wherein        the communicated new rejection list (RL) is stored in the access        control apparatus (4) only under the precondition that, in the        case of a check based at least on the communicated fourth check        information (V_(L)), the second key (S₂, S_(T2)) of the key pair        and the communicated rejection information (L), it is determined        that the communicated fourth check information (V_(L)) was        generated by performing cryptographic operations on the        rejection information corresponding to the communicated        rejection information (L) using at least the first key (S₁,        S_(T1)) of the key pair.

Exemplary Embodiment 59

The method according to exemplary embodiment 58, wherein the rejectioninformation (L) further comprises a counter (Counter) that isincremented with each new rejection list (RL), and wherein the newrejection list (RL) is stored in the access control apparatus (4) onlyunder the further precondition that the value of the counter (Counter)comprised by the rejection information (L) is greater than a value of acounter provided in the access control apparatus (4), and wherein thevalue of the counter of the access control apparatus (4) is updated tothe value of the counter (Counter) comprised by the rejectioninformation (L) in or after the storage of the new rejection list (RL)in the access control apparatus (4).

Exemplary Embodiment 60

The method according to either of exemplary embodiments 58-59, whereinthe rejection information (L) further comprises an identifier (LockID)of only one access control apparatus (4) or a group of access controlapparatuses on which the new rejection list (RL) is intended to bestored, and wherein the new rejection list (RL) is stored in the accesscontrol apparatus (4) only under the further precondition that anindividual identifier (LockID) of the access control apparatus (4) thatis stored in the access control apparatus (4) or a group identifier(GroupID) for a group of access control apparatuses that contains theaccess control apparatus (4) corresponds to the identifier comprised inthe rejection information.

Exemplary Embodiment 61

—

Exemplary Embodiment 62

—

Exemplary Embodiment 63

The method according to any of exemplary embodiments 34-60, wherein oneof the access authorization parameters (B) indicates to what extent, inparticular to which openings of the access control apparatus (4) or towhich openings of an apparatus controlled by the access controlapparatus (4), access is intended to be granted.

Exemplary Embodiment 64

A computer program, comprising program instructions that cause aprocessor to perform and/or control the method according to any ofexemplary embodiments 34 to 63 if the computer program runs on theprocessor.

Exemplary Embodiment 65

An access authorization generation apparatus (2), configured to performand/or control the method according to any of exemplary embodiments34-63 or comprising respective means for performing and/or controllingthe steps of the method according to any of exemplary embodiments 34-63.

Exemplary Embodiment 66

A method for proving an access authorization, performed by an accessauthorization proving apparatus (3), the method comprising:

-   -   communicating access authorization information (B, V) comprising        at least one or more access authorization parameters (B) and        first check information (V) to an access control apparatus (4)        in order to enable the latter to decide whether access is        permitted to be granted on the basis of the communicated access        authorization information (B, V),

wherein necessary conditions for granting access are that firstchecking, using at least the communicated access authorizationparameters (B), the communicated first check information (V) and asecond key (S₂, S_(T2)) of a symmetrical or asymmetrical key pair, saidsecond key being stored in the access control apparatus (4), whether thecommunicated first check information (V) was generated by performingcryptographic operations on access authorization parameters (B)corresponding to the communicated access authorization parameters (B)using at least a first key (S₁, S_(T1)) of the key pair, yields apositive result and that it is determined that at least one predefinedset of the communicated access authorization parameters (B), in view ofrespective pieces of reference information present in the access controlapparatus (4) at least at the time of the first checking, respectivelyauthorize for access.

Exemplary Embodiment 67

The method according to exemplary embodiment 66, wherein the accessauthorization information (B, V) is generated by an access authorizationgeneration apparatus (2) and stored in the access authorization provingapparatus (3) before the access authorization proving apparatus (3) isissued for the first time to a user of the access authorization provingapparatus (3).

Exemplary Embodiment 68

The method according to exemplary embodiment 67, wherein the accessauthorization proving apparatus (3) is a portable RFID or NFC unit, inparticular an RFID or NFC tag.

Exemplary Embodiment 69

The method according to exemplary embodiment 66, wherein the accessauthorization information (B, V) is generated by an access authorizationgeneration apparatus (2) and communicated to the access authorizationproving apparatus (3) via an at least partly wireless communicationlink, in particular a cellular mobile radio network.

Exemplary Embodiment 70

The method according to exemplary embodiment 69, wherein the accessauthorization proving apparatus (3) is a portable terminal configuredfor wireless communication, in particular a cellular phone.

Exemplary Embodiment 71

The method according to exemplary embodiment 66, wherein the accessauthorization information (B, V) is generated by an access authorizationgeneration apparatus (2), is transmitted via a communication network toa computer and, under the control thereof, is communicated to the accessauthorization proving apparatus (2).

Exemplary Embodiment 72

The method according to exemplary embodiment 71, wherein the accessauthorization proving apparatus (3) is a handheld scanner.

Exemplary Embodiment 73

The method according to any of exemplary embodiments 66-72, whereincommunicating information from the access authorization provingapparatus (3) to the access control apparatus (4) is performedwirelessly, in particular by means of RFID, NFC or Bluetoothcommunication.

Exemplary Embodiment 74

The method according to any of exemplary embodiments 66-73, wherein thekey pair is an asymmetrical key pair, wherein the first checkinformation (V) is generated as a digital signature by means of theaccess authorization parameters (B) using at least the first key (S₁) ofthe key pair.

Exemplary Embodiment 75

The method according to any of exemplary embodiments 66-73, wherein thekey pair is a symmetrical key pair, and wherein the first checkingcomprises performing the same cryptographic operations (KRYPT) as areused when generating the first check information (V), on thecommunicated access authorization parameters (B) using at least thesecond key (S₂, S_(T2)) of the key pair for obtaining locally generatedfirst check information and comparing the communicated first checkinformation (V) with the locally generated first check information.

Exemplary Embodiment 76

The method according to exemplary embodiment 75, wherein thecryptographic operations serve for determining a message authenticationcode (MAC) as check information (V).

Exemplary Embodiment 77

The method according to any of exemplary embodiments 66-76, wherein theaccess control apparatus (4) constitutes an access control apparatus (4)from a plurality of access control apparatuses, wherein a second key(S₂) of a symmetrical or asymmetrical individual key pair is stored inthe access control apparatus (4), said second key being stored only onthe access control apparatus, but on none of the other access controlapparatuses of the plurality of access control apparatuses, and whereinthe first key (S₁, S_(T1)) of the key pair that is used when generatingthe first check information is the first key (S₁) of the individual keypair.

Exemplary Embodiment 78

The method according to any of exemplary embodiments 66-76, wherein theaccess control apparatus (4) constitutes an access control apparatus (4)from a plurality of access control apparatuses,

wherein a second key (S₂) of a symmetrical or asymmetrical individualkey pair is stored in the access control apparatus (4), said second keybeing stored only on the access control apparatus, but on none of theother access control apparatuses of the plurality of access controlapparatuses,

wherein a second key (S_(T2)) of a symmetrical or asymmetrical group keypair is further stored in the access control apparatus (4), said secondkey being different than the second key of the individual key pair andbeing stored in all the access control apparatuses of a group of accesscontrol apparatuses from the plurality of access control apparatusesthat comprises the access control apparatus (4), wherein the first key(S₁, S_(T1)) of the key pair that is used when generating the firstcheck information is either a first key (S₁) of the individual key pairor a first key (S_(T1)) of the group key pair.

Exemplary Embodiment 79

The method according to exemplary embodiment 78, wherein at least onesecond key (S_(T2)) of a symmetrical or asymmetrical further group keypair is further stored in the access control apparatus (4), said atleast one second key being different than the second key (S₂) of theindividual key pair and the second key (S_(T2)) of the group key pairand being stored in all the access control apparatuses of a furthergroup of access control apparatuses from the plurality of access controlapparatuses that comprises the access control apparatus (4), saidfurther group including, however, at least one or more other accesscontrol apparatuses in comparison with the group of access controlapparatuses, and wherein the second key (S₂, S_(T2)) of the key pairthat is used in the first checking is either the second key (S₂) of theindividual key pair, the second key (S_(T2)) of the group key pair orthe second key (S_(T2)) of the further group key pair.

Exemplary Embodiment 80

The method according to either of exemplary embodiments 78-79, whereinprovision is not made for changing the second key (S₂) of the individualkey pair in the access control apparatus (4), for erasing said secondkey or for exchanging it for another key, but wherein it is providedthat the second key (S_(T2)) of the group key pair can be changed orerased or exchanged for another key.

Exemplary Embodiment 81

The method according to any of exemplary embodiments 78-80, furthercomprising:

-   -   communicating group key information (W) comprising at least one        second key (S_(T2))—encrypted with the first key (S₁) of the        individual key pair—of a new symmetrical or asymmetrical group        key pair for the same or an at least partly different group of        access control apparatuses from the plurality of access control        apparatuses, to the access control apparatus (4) in order to        enable the latter to store in the access control apparatus (4)        the second key (S_(T2)) of the new group key pair, which second        key is obtainable by decryption of the communicated encrypted        second key (S_(T2)) of the new group key pair using at least the        second key (S₂) of the individual key pair, such that the second        key (S₂, S_(T2)) of the key pair that is used in the first        checking is either the second key (S₂) of the individual key        pair or the second key (S_(T2)) of the new group key pair,

Exemplary Embodiment 82

The method according to exemplary embodiment 81, further comprising:

-   -   communicating second check information (V_(W)) to the access        control apparatus, wherein the second key of the new group key        pair, which second key is obtainable by the decrypting, is        stored in the access control apparatus (4) only under the        precondition that, in the case of a check based at least on the        communicated second check information (V_(W)), the second key        (S₂) of the individual key pair and the communicated group key        information (W), it is determined that the communicated second        check information (V_(W)) was generated by performing        cryptographic operations on the group key information        corresponding to the communicated group key information (W)        using at least the first key (S₁) of the individual key pair.

Exemplary Embodiment 83

The method according to exemplary embodiment 82, wherein the group keyinformation (W) further comprises a counter (update_counter) that isincremented with each new group key pair, and wherein the second key(S_(T2)) of the new group key pair that is obtained by the decrypting isstored in the access control apparatus (4) only under the furtherprecondition that a value of a counter (update_counter) comprised by thegroup key information is greater than a value of a counter provided inthe access control apparatus (4), and wherein, in or after the storageof the second key (S_(T2)) of the new group key pair in the accesscontrol apparatus (4), the value of the counter in the access controlapparatus (4) is updated to the value of the counter (update_counter)comprised by the group key information.

Exemplary Embodiment 84

The method according to either of exemplary embodiments 82-83, whereinthe group key information further comprises an individual identifier(LockID) of the access control apparatus (4), and wherein the second key(S_(T2)) of the new group key pair that is obtained by the decrypting isstored in the access control apparatus (4) only under the furtherprecondition that an individual identifier (LockID) of the accesscontrol apparatus (4) that is stored in the access control apparatus (4)corresponds to the individual identifier (LockID) comprised in the groupkey information.

Exemplary Embodiment 85

The method according to any of exemplary embodiments 81-84, wherein thegroup key information further comprises a group identifier (GroupID)associated with the new group key pair, said group identifier beingcommon to all the access control apparatuses of the group of accesscontrol apparatuses for which the new group key pair is intended, andwherein the group identifier (GroupID) obtained by the decrypting isstored in the access control apparatus (4).

Exemplary Embodiment 86

The method according to any of exemplary embodiments 66-85, wherein oneof the access authorization parameters (B) is an identifier (LockID) foronly one access control apparatus (4) or a group of access controlapparatuses, and wherein it is determined in the access controlapparatus (4) that the identifier authorizes for access if theidentifier (LockID) corresponds to an individual identifier (LockID) ofthe access control apparatus (4) that is stored in the access controlapparatus (4) and/or a group identifier (GroupID) for a group of accesscontrol apparatuses to which the access control apparatus (4) belongs.

Exemplary Embodiment 87

The method according to any of exemplary embodiments 78-85, wherein oneof the access authorization parameters is an identifier (LockID) onlyfor the access control apparatus (4) or a group of access controlapparatuses which includes the access control apparatus (4), wherein itis determined in the access control apparatus that the identifier(LockID) authorizes for access if the identifier corresponds to anindividual identifier (LockID) of the access control apparatus (4) thatis stored in the access control apparatus (4) and/or a group identifier(GroupID) for a group of access control apparatuses to which the accesscontrol apparatus (4) belongs, wherein the first check information (V)of access authorization information which has an identifier (LockID)only for the access control apparatus (4) is generated by cryptographicoperations being performed by means of the access authorizationparameters (B) using at least the first key (S₁) of the individual keypair, and wherein the first check information (V) of accessauthorization information which has an identifier (LockID) for the groupof access control apparatuses is generated by performing cryptographicoperations on the access authorization parameters using at least thefirst key (S_(T1)) of the group key pair.

Exemplary Embodiment 88

The method according to exemplary embodiment 87, wherein on the basis ofthe identifier (LockID), in particular on the basis of a predefinedformat of the identifier, in the access control apparatus (4), it ispossible to identify whether an identifier for only one access controlapparatus (4) or an identifier for a group of access control apparatusesis involved, such that either the second key (S₂) of the individual keypair or the second key (S_(T2)) of the group key pair can be selected ineach case appropriately for the first checking.

Exemplary Embodiment 89

The method according to any of exemplary embodiments 66-88, wherein oneof the access authorization parameters (B) is an identifier (KeyID) forthe access authorization information (B, V) or for the accessauthorization proving apparatus (3), and wherein it is determined thatthe identifier (KeyID) authorizes for access if the identifier is notcontained in a rejection list (RL) stored in the access controlapparatus (4).

Exemplary Embodiment 90

The method according to any of exemplary embodiments 66-89, furthercomprising:

-   -   communicating to the access control apparatus (4)        information (A) comprising at least one fourth key (H₄) that is        encrypted using at least the first key (S₁, S_(T1)) of the key        pair and that can be used in an authentication of the access        control apparatus (4) vis-à-vis the access authorization proving        apparatus (3), or in the checking of the authenticity and/or        integrity of information communicated to the access control        apparatus (4), in order to enable the latter to decrypt the        encrypted fourth key using at least the second key (S₂, S_(T2))        of the key pair and to use said fourth key.

Exemplary Embodiment 91

The method according to any of exemplary embodiments 66-89, furthercomprising:

-   -   communicating to the access control apparatus (4)        information (A) comprising at least one combination—encrypted        using at least the first key (S₁, S_(T1)) of the key pair—of a        fourth key (H₄) and an identifier (KeyID) for the access        authorization information (B, V) or for the access authorization        proving apparatus (3), wherein the fourth key (H₄) can be used        in an authentication of the access control apparatus (4)        vis-à-vis the access authorization proving apparatus (3) or in        the checking of the authenticity and/or integrity of information        communicated to the access control apparatus (4), in order to        enable the latter to decrypt the encrypted combination using at        least the second key (S₂, S_(T2)) of the key pair, in order to        obtain the fourth key (H₄) and the identifier,

wherein the identifier (KeyID) further constitutes one of the accessauthorization parameters (B), and wherein it is determined in the accesscontrol apparatus (4) that the identifier (KeyID) contained in thecommunicated access authorization information (B, V) authorizes foraccess if the identifier (KeyID) contained in the communicated accessauthorization information (B, V) corresponds to the identifier (KeyID)obtained by decrypting the encrypted combination.

Exemplary Embodiment 92

The method according to any of exemplary embodiments 66-89, furthercomprising:

-   -   communicating to the access control apparatus (4)        information (A) comprising at least one combination—encrypted        using at least the first key (S₁, S_(T1)) of the key pair—of a        fourth key (H₄) and an identifier (KeyID) for the access        authorization information (B, V) or for the access authorization        proving apparatus (3), wherein the fourth key (H₄) can be used        in an authentication of the access control apparatus (4)        vis-à-vis the access authorization proving apparatus (3) or in        the checking of the authenticity and/or integrity of information        communicated to the access control apparatus (4), in order to        enable the latter to decrypt the encrypted combination using at        least the second key (S₂, S_(T2)) of the key pair, in order to        obtain the fourth key (H₄) and the identifier,

wherein the identifier (KeyID) further constitutes one of the accessauthorization parameters (B), and wherein it is determined in the accesscontrol apparatus (4) that the identifier (KeyID) contained in thecommunicated access authorization information (B, V) authorizes foraccess if the identifier (KeyID) contained in the communicated accessauthorization information (B, V) corresponds to the identifier (KeyID)obtained by decrypting the encrypted combination and the identifier(KeyID) is not contained in a rejection list (RL) stored in the accesscontrol apparatus (4).

Exemplary Embodiment 93

The method according to either of exemplary embodiments 91-92, whereinthe access authorization information (B, V) communicated to the accesscontrol apparatus (4) is stored in identical form on at least two accessauthorization proving apparatuses (3), wherein the identical accessauthorization information (B, V) stored on the at least two accessauthorization proving apparatuses (3) in each case has the sameidentifier (KeyID) for the access authorization information (B, V) andsaid access authorization information (B, V) is associated in each casewith the same fourth key (H₄).

Exemplary Embodiment 94

The method according to exemplary embodiment 93, wherein the accessauthorization information (B, V) communicated to the access controlapparatus (4) has a limited temporal validity and/or has only a limitedpermissible number of access processes within its period of validityand/or can be or is only communicated to the access control apparatus(4) by the access authorization proving apparatus (3) if it isdetermined at the access authorization proving apparatus (3) that thereis a need for the access to the access control apparatus (4).

Exemplary Embodiment 95

The method according to any of exemplary embodiments 90-94, wherein thefourth key (H₄) together with a third key (H₃) forms a symmetrical orasymmetrical key pair, the method further comprising:

-   -   generating third check information (V′) by performing        cryptographic operations on a challenge (R) generated by the        access apparatus, the access authorization parameters (B) and        the first check information (V) using at least the third key        (H₃),    -   communicating the third check information (V′) to the access        control apparatus, wherein a further necessary condition for        granting access is a second checking, performed at the access        control apparatus, using at least the challenge (R), the        communicated access authorization parameters (B), the        communicated first check information (V), the communicated third        check information (V′) and the fourth key (H₄), reveals that the        communicated third check information (V′) was generated by        cryptographic operations being performed by means of information        corresponding to the challenge (R), the communicated access        authorization parameters (B) and the communicated first check        information (V), using at least the third key (H₃).

Exemplary Embodiment 96

The method according to any of exemplary embodiments 90-94, wherein theaccess control apparatus (4) can authenticate itself vis-à-vis theaccess authorization proving apparatus (3) using at least the fourth key(H₄), and wherein the access authorization information (B, V) iscommunicated from the access authorization proving apparatus (3) to theaccess control apparatus (4) only in the event of successfulauthentication.

Exemplary Embodiment 97

The method according to either of exemplary embodiments 89 and 92,further comprising:

-   -   generating fourth check information (V_(L)) by performing        cryptographic operations on rejection information (L) using at        least the first key (S₁, S_(T1)) of the key pair, wherein the        rejection information (L) comprises at least one new rejection        list (RL) with identifiers (KeyIDs) for access authorization        information (B, V) to be rejected or for access authorization        proving apparatuses (3) that are to reject access authorization        information (B, V) at the access control apparatus (4), and    -   communicating rejection information (L) comprising at least one        new rejection list (RL) with identifiers (KeyID) for access        authorization information (B, V) to be rejected or for access        authorization proving apparatuses (3) that are to reject access        authorization information (B, V) at the access control apparatus        (4), and communicating fourth check information (V_(L))        generated by performing cryptographic operations on the        rejection information (L) using at least the first key (S₁,        S_(T1)) of the key pair, to the access control apparatus,        wherein the communicated new rejection list (RL) is stored in        the access control apparatus (4) only under the precondition        that, in the case of a check based at least on the communicated        fourth check information (V_(L)), the second key (S₂, S_(T2)) of        the key pair and the communicated rejection information (L), it        is determined that the communicated fourth check information        (V_(L)) was generated by performing cryptographic operations on        the rejection information corresponding to the communicated        rejection information (L) using at least the first key (S₁,        S_(T1)) of the key pair.

Exemplary Embodiment 98

The method according to exemplary embodiment 97, wherein the rejectioninformation (L) further comprises a counter (Counter) that isincremented with each new rejection list (RL), and wherein the newrejection list (RL) is stored in the access control apparatus (4) onlyunder the further precondition that the value of the counter (Counter)comprised by the rejection information (L) is greater than a value of acounter provided in the access control apparatus (4), and wherein thevalue of the counter of the access control apparatus (4) is updated tothe value of the counter (Counter) comprised by the rejectioninformation (L) in or after the storage of the new rejection list (RL)in the access control apparatus (4).

Exemplary Embodiment 99

The method according to either of exemplary embodiments 97-98, whereinthe rejection information (L) further comprises an identifier (LockID)of only one access control apparatus (4) or a group of access controlapparatuses on which the new rejection list (RL) is intended to bestored, and wherein the new rejection list (RL) is stored in the accesscontrol apparatus (4) only under the further precondition that anindividual identifier (LockID) of the access control apparatus (4) thatis stored in the access control apparatus (4) or a group identifier(GroupID) for a group of access control apparatuses that contains theaccess control apparatus (4) corresponds to the identifier comprised inthe rejection information.

Exemplary Embodiment 100

The method according to any of exemplary embodiments 66-99, wherein oneof the access authorization parameters (B) indicates to what extent, inparticular to which openings of the access control apparatus (4) or towhich openings of an apparatus controlled by the access controlapparatus (4), access is intended to be granted.

Exemplary Embodiment 101

A computer program, comprising program instructions that cause aprocessor to perform and/or control the method according to any ofexemplary embodiments 66 to 100 when the computer program runs on theprocessor.

Exemplary Embodiment 102

An access authorization proving apparatus (3), configured to performand/or control the method according to any of exemplary embodiments66-100 or comprising respective means for performing and/or controllingthe steps of the method according to any of exemplary embodiments66-100.

Exemplary Embodiment 103

A system, comprising:

-   -   an access control apparatus (4) according to exemplary        embodiment 32,    -   an access authorization generation apparatus (2), in particular        according to exemplary embodiment 65, and    -   an access authorization proving apparatus (3), in particular        according to exemplary embodiment 102, wherein the access        authorization information (B, V) is generated by the access        authorization generation apparatus (2) and is communicated to        the access control apparatus (4) by the access authorization        proving apparatus (3).

The exemplary embodiments of the present invention described by way ofexample in this specification are intended also to be understood asdisclosed in all combinations with one another. In particular, thedescription of a feature comprised by an embodiment—unless explicitlyexplained to the contrary—in the present case also ought not beunderstood to mean that the feature is indispensible or essential forthe function of the exemplary embodiment. The sequence of the methodsteps in the individual flow diagrams as outlined in this specificationis not mandatory; alternative sequences of the method steps areconceivable. The method steps can be implemented in various ways; animplementation in software (by program instructions), hardware or acombination of both is thus conceivable for implementing the methodsteps. Terms used in the patent claims such as “comprise”, “have”,“include”, “contain” and the like do not exclude further elements orsteps. The wording “at least partly” includes both the case “partly” andthe case “completely”. The wording “and/or” is intended to be understoodto the effect that the disclosure is intended to include both thealternative and the combination, that is to say “A and/or B” means “(A)or (B) or (A and B)”. In the context of this specification, units,persons or the like in the plural mean a plurality of units, persons orthe like. The use of the indefinite article does not exclude the plural.An individual device can perform the functions of a plurality of unitsor devices mentioned in the patent claims. Reference signs indicated inthe patent claims should not be regarded as limitations of the means andsteps used.

The invention claimed is:
 1. A method for access control, performed byan access control apparatus, the method comprising: obtaining accessauthorization information communicated to the access control apparatusand comprising at least one or more access authorization parameters andfirst check information, first checking, using at least the communicatedaccess authorization parameters, the communicated first checkinformation and a second key of a symmetrical or asymmetrical key pair,said second key being stored in the access control apparatus, as towhether the communicated first check information was generated byperforming cryptographic operations on access authorization parameterscorresponding to the communicated access authorization parameters usingat least a first key of the key pair, deciding whether access ispermitted to be granted, wherein necessary conditions for grantingaccess are that the first checking yields a positive result and that itis determined that at least one predefined set of the communicatedaccess authorization parameters, in view of respective pieces ofreference information present in the access control apparatus at leastat the time of the first checking, respectively authorize for access,wherein the access control apparatus constitutes an access controlapparatus from a plurality of access control apparatuses, wherein asecond key of a symmetrical or asymmetrical individual key pair isstored in the access control apparatus, said second key being stored onnone of the other access control apparatuses of the plurality of accesscontrol apparatuses, and wherein the second key of the key pair that isused in the first checking is the second key of the individual key pair,or wherein a second key of a symmetrical or asymmetrical group key pairis, in addition to said second key of said individual key pair, storedin the access control apparatus, said second key of said group key pairbeing different than the second key of the individual key pair and beingstored in all access control apparatuses of a group of access controlapparatuses from the plurality of access control apparatuses, whereinsaid group of access control apparatuses comprises the access controlapparatus, and the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair or thesecond key of the group key pair.
 2. A method for generating accessauthorization information, the method comprising: generating first checkinformation by performing cryptographic operations on one or more accessauthorization parameters using at least a first key of a symmetrical orasymmetrical key pair, generating access authorization informationcomprising at least the one or more access authorization parameters andthe first check information, and outputting the access authorizationinformation for storage on an access authorization proving apparatusconfigured to communicate the access authorization information to atleast one access control apparatus in order to enable the latter todecide whether access is permitted to be granted on the basis of thecommunicated access authorization information, wherein necessaryconditions for granting access are that a first checking, using at leastthe communicated access authorization parameters, the communicated firstcheck information and a second key of the key pair, said second keybeing stored in the access control apparatus, whether the communicatedfirst check information was generated by performing cryptographicoperations on access authorization parameters corresponding to thecommunicated access authorization parameters using at least the firstkey of the key pair, yields a positive result and it is determined thatat least one predefined set of the communicated access authorizationparameters, in view of respective pieces of reference informationpresent in the access control apparatus at least at the time of thefirst checking, respectively authorize for access, wherein the accesscontrol apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored on none of the otheraccess control apparatuses of the plurality of access controlapparatuses, and wherein the first key of the key pair that is used inthe generating of the first check information is a first key of theindividual key pair, or wherein a second key of a symmetrical orasymmetrical group key pair is, in addition to said second key of saidindividual key pair, stored in the access control apparatus, said secondkey of said group key pair being different than the second key of theindividual key pair and being stored in all access control apparatusesof a group of access control apparatuses from the plurality of accesscontrol apparatuses, wherein said group of access control apparatusescomprises the access control apparatus, and the first key of the keypair that is used in the generating of the first check information iseither a first key of the individual key pair or a first key of thegroup key pair.
 3. A method for proving an access authorization,performed by an access authorization proving apparatus, the methodcomprising: communicating access authorization information comprising atleast one or more access authorization parameters and first checkinformation to an access control apparatus in order to enable the latterto decide whether access is permitted to be granted on the basis of thecommunicated access authorization information, wherein necessaryconditions for granting access are that a first checking, using at leastthe communicated access authorization parameters, the communicated firstcheck information and a second key of a symmetrical or asymmetrical keypair, said second key being stored in the access control apparatus,whether the communicated first check information was generated byperforming cryptographic operations on access authorization parameterscorresponding to the communicated access authorization parameters usingat least a first of the key pair, yields a positive result and it isdetermined that at least one predefined set of the communicated accessauthorization parameters, in view of respective pieces of referenceinformation present in the access control apparatus at least at the timeof the first checking, respectively authorize for access, wherein theaccess control apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored on none of the otheraccess control apparatuses of the plurality of access controlapparatuses, and wherein the first key of the key pair that is used in agenerating of the first check information is a first key of theindividual key pair, or wherein a second key of a symmetrical orasymmetrical group key pair is, in addition to said second key of saidindividual key pair, stored in the access control apparatus, said secondkey of said group key pair being different than the second key of theindividual key pair and being stored in all access control apparatusesof a group of access control apparatuses from the plurality of accesscontrol apparatuses, wherein said group of access control apparatusescomprises the access control apparatus, and the first key of the keypair that is used in a generating of the first check information iseither a first key of the individual key pair or a first key of thegroup key pair.
 4. A non-transitory computer-readable storage mediumstoring a computer program comprising program instructions that cause aprocessor to perform and/or control the method as claimed in claim 1when the computer program runs on the processor.
 5. An access controlapparatus comprising at least one processor and at least one memory thatincludes program code, wherein the memory and the program code areconfigured to cause the access control apparatus with the at least oneprocessor to perform and/or control: obtaining access authorizationinformation communicated to the access control apparatus and comprisingat least one or more access authorization parameters and first checkinformation, first checking, using at least the communicated accessauthorization parameters, the communicated first check information and asecond key of a symmetrical or asymmetrical key pair, said second keybeing stored in the access control apparatus, as to whether thecommunicated first check information was generated by performingcryptographic operations on access authorization parameterscorresponding to the communicated access authorization parameters usingat least a first key of the key pair, deciding whether access ispermitted to be granted, wherein necessary conditions for grantingaccess are that the first checking yields a positive result and that itis determined that at least one predefined set of the communicatedaccess authorization parameters, in view of respective pieces ofreference information present in the access control apparatus at leastat the time of the first checking, respectively authorize for access,wherein the access control apparatus constitutes an access controlapparatus from a plurality of access control apparatuses, wherein asecond key of a symmetrical or asymmetrical individual key pair isstored in the access control apparatus, said second key being stored onnone of the other access control apparatuses of the plurality of accesscontrol apparatuses, and wherein the second key of the key pair that isused in the first checking is the second key of the individual key pair,or wherein a second key of a symmetrical or asymmetrical group key pairis, in addition to said second key of said individual key pair, storedin the access control apparatus, said second key of said group key pairbeing different than the second key of the individual key pair and beingstored in all access control apparatuses of a group access controlapparatuses from the plurality of access control apparatuses, whereinsaid group of access control apparatuses comprises the access controlapparatus, and the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair or thesecond key of the group key pair.
 6. A non-transitory computer-readablestorage medium storing a computer program comprising programinstructions that cause a processor to perform and/or control the methodas claimed in claim 2 when the computer program runs on the processor.7. An apparatus comprising at least one processor and at least onememory that includes program code, wherein the memory and the programcode are configured to cause the apparatus with the at least oneprocessor to perform and/or control: generating first check informationby performing cryptographic operations on one or more accessauthorization parameters using at least a first key of a symmetrical orasymmetrical key pair, generating access authorization informationcomprising at least the one or more access authorization parameters andthe first check information, and outputting the access authorizationinformation for storage on an access authorization proving apparatusconfigured to communicate the access authorization information to atleast one access control apparatus in order to enable the latter todecide whether access is permitted to be granted on the basis of thecommunicated access authorization information, wherein necessaryconditions for granting access are that a first checking, using at leastthe communicated access authorization parameters, the communicated firstcheck information and a second key of the key pair, said second keybeing stored in the access control apparatus, whether the communicatedfirst check information was generated by performing cryptographicoperations on access authorization parameters corresponding to thecommunicated access authorization parameters using at least the firstkey of the key pair, yields a positive result and it is determined thatat least one predefined set of the communicated access authorizationparameters, in view of respective pieces of reference informationpresent in the access control apparatus at least at the time of thefirst checking, respectively authorize for access, wherein the accesscontrol apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored on none of the otheraccess control apparatuses of the plurality of access controlapparatuses, and wherein the first key of the key pair that is used inthe generating of the first check information is a first key of theindividual key pair, or wherein a second key of a symmetrical orasymmetrical group key pair is, in addition to said second key of saidindividual key pair, stored in the access control apparatus, said secondkey of said group key pair being different than the second key of theindividual key pair and being stored in all access control apparatusesof a group of access control apparatuses from the plurality of accesscontrol apparatuses, wherein said group of access control apparatusescomprises the access control apparatus, and the first key of the keypair that is used in the generating of the first check information iseither a first key of the individual key pair or a first key of thegroup key pair.
 8. A non-transitory computer-readable storage mediumstoring a computer program comprising program instructions that cause aprocessor to perform and/or control the method as claimed in claim 3when the computer program runs on the processor.
 9. An apparatuscomprising at least one processor and at least one memory that includesprogram code, wherein the memory and the program code are configured tocause the apparatus with the at least one processor to perform and/orcontrol: communicating access authorization information comprising atleast one or more access authorization parameters and first checkinformation to an access control apparatus in order to enable the latterto decide whether access is permitted to be granted on the basis of thecommunicated access authorization information, wherein necessaryconditions for granting access are that a first checking, using at leastthe communicated access authorization parameters, the communicated firstcheck information and a second key of a symmetrical or asymmetrical keypair, said second key being stored in the access control apparatus,whether the communicated first check information was generated byperforming cryptographic operations on access authorization parameterscorresponding to the communicated access authorization parameters usingat least a first key of the key pair, yields a positive result and it isdetermined that at least one predefined set of the communicated accessauthorization parameters, in view of respective pieces of referenceinformation present in the access control apparatus at least at the timeof the first checking, respectively authorize for access, wherein theaccess control apparatus constitutes an access control apparatus from aplurality of access control apparatuses, wherein a second key of asymmetrical or asymmetrical individual key pair is stored in the accesscontrol apparatus, said second key being stored on none of the otheraccess control apparatuses of the plurality of access controlapparatuses, and wherein the first key of the key pair that is used in agenerating of the first check information is a first key of theindividual key pair, or wherein a second key of a symmetrical orasymmetrical group key pair is, in addition to said second key of saidindividual key pair, stored in the access control apparatus, said secondkey of said group key pair being different than the second key of theindividual key pair and being stored in all access control apparatusesof a group of access control apparatuses from the plurality of accesscontrol apparatuses, wherein said group of access control apparatusescomprises the access control apparatus, and the first key of the keypair that is used in a generating of the first check information iseither a first key of the individual key pair or a first key of thegroup key pair.
 10. The method as claimed in claim 1, wherein the secondkey of the group key pair is stored in the access control apparatus, andwherein the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair or thesecond key of the group key pair.
 11. The method as claimed in claim 2,wherein the second key of the group key pair is stored in the accesscontrol apparatus, and wherein the second key of the key pair that isused in the first checking is either the second key of the individualkey pair or the second key of the group key pair.
 12. The method asclaimed in claim 3, wherein the second key of the group key pair isstored in the access control apparatus, and wherein the second key ofthe key pair that is used in the first checking is either the second keyof the individual key pair or the second key of the group key pair. 13.The access control apparatus as claimed in claim 5, wherein the secondkey of the group key pair is stored in the access control apparatus,wherein the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair or thesecond key of the group key pair, wherein at least one second key of asymmetrical or asymmetrical further group key pair is further stored inthe access control apparatus, said at least one second key of saidfurther group key pair being different than the second key of theindividual key pair and the second key of the group key pair and beingstored in all access control apparatuses of a further group of accesscontrol apparatuses from the plurality of access control apparatuses,wherein said further group of access control apparatuses comprises theaccess control apparatus and includes, however, at least one or moreother access control apparatuses in comparison with the group of accesscontrol apparatuses, and wherein the second key of the key pair that isused in the first checking is either the second key of the individualkey pair, the second key of the group key pair or the second key of thefurther group key pair.
 14. The access control apparatus as claimed inclaim 5, wherein the second key of the group key pair is stored in theaccess control apparatus, wherein the second key of the key pair that isused in the first checking is either the second key of the individualkey pair or the second key of the group key pair, wherein provision isnot made for changing the second key of the individual key pair in theaccess control apparatus, for erasing said second key or for exchangingit for another key, but wherein it is provided that the second key ofthe group key pair can be changed or erased or exchanged for anotherkey.
 15. The access control apparatus as claimed in claim 5, wherein thesecond key of the group key pair is stored in the access controlapparatus, wherein the second key of the key pair that is used in thefirst checking is either the second key of the individual key pair orthe second key of the group key pair, wherein the memory and the programcode are configured to cause the access control apparatus with the atleast one processor to further perform and/or control: obtaining groupkey information communicated to the access control apparatus andcomprising at least one second key— encrypted with the first key of theindividual key pair— of a new symmetrical or asymmetrical group key pairfor the same or an at least partly different group of access controlapparatuses from the plurality of access control apparatuses, decryptingthe communicated encrypted second key of the new group key pair with thesecond key of the individual key pair, and storing the second key of thenew group key pair obtained by the decrypting in the access controlapparatus, such that the second key of the key pair used in the firstchecking is at least either the second key of the individual key pair orthe second key of the new group key pair.
 16. The access controlapparatus as claimed in claim 15, wherein the memory and the programcode are configured to cause the access control apparatus with the atleast one processor to further perform and/or control: obtaining secondcheck information communicated to the access control apparatus, andstoring the second key of the new group key pair obtained by thedecrypting in the access control apparatus only under the preconditionthat it is determined in a check that is based at least on thecommunicated second check information, the second key of the individualkey pair and the communicated group key information that thecommunicated second check information was generated by performingcryptographic operations on the group key information corresponding tothe communicated group key information using at least the first key ofthe individual key pair.
 17. The access control apparatus as claimed inclaim 16, wherein the group key information further comprises a counterthat is incremented with each new group key pair, and wherein the secondkey of the new group key pair obtained by the decrypting is stored inthe access control apparatus only under the further precondition that avalue of a counter comprised by the group key information is greaterthan a value of a counter provided in the access control apparatus, andwherein, in or after the storage of the second key of the new group keypair in the access control apparatus, the value of the counter in theaccess control apparatus is updated to the value of the countercomprised by the group key information.
 18. The access control apparatusas claimed in claim 16, wherein the group key information furthercomprises an individual identifier of the access control apparatus, andwherein the second key of the new group key pair that is obtained by thedecrypting is stored in the access control apparatus only under thefurther precondition that an individual identifier of the access controlapparatus that is stored in the access control apparatus corresponds tothe individual identifier comprised in the group key information. 19.The access control apparatus as claimed in claim 15, wherein the groupkey information further comprises a group identifier associated with thenew group key pair, said group identifier being common to all the accesscontrol apparatuses of the group of access control apparatuses for whichthe new group key pair is intended, and wherein the group identifierobtained by the decrypting is stored in the access control apparatus.20. The access control apparatus as claimed in claim 5, wherein one ofthe communicated access authorization parameters is an identifier foronly one access control apparatus or a group of access controlapparatuses, and wherein it is determined that the identifier authorizesfor access if the identifier corresponds to an individual identifier ofthe access control apparatus that is stored in the access controlapparatus and/or a group identifier for a group of access controlapparatuses to which the access control apparatus belongs.
 21. Theaccess control apparatus as claimed in claim 5, wherein the second keyof the group key pair is stored in the access control apparatus, whereinthe second key of the key pair that is used in the first checking iseither the second key of the individual key pair or the second key ofthe group key pair, wherein one of the communicated access authorizationparameters is an identifier for only one access control apparatus or agroup of access control apparatuses, and wherein it is determined thatthe identifier authorizes for access if the identifier corresponds to anindividual identifier of the access control apparatus that is stored inthe access control apparatus and/or a group identifier for a group ofaccess control apparatuses to which the access control apparatusbelongs, wherein the first check information of communicated accessauthorization information which has an identifier for only one accesscontrol apparatus is generated by performing cryptographic operations onthe access authorization parameters using at least a first key of theindividual key pair, and wherein the first check information ofcommunicated access authorization information which has an identifierfor a group of access control apparatuses is generated by performingcryptographic operations on the access authorization parameters using atleast a first key of the group key pair.
 22. The access controlapparatus as claimed in claim 21, wherein on the basis of theidentifier, it is possible in the access control apparatus to identifywhether the identifier is an identifier for only one access controlapparatus or an identifier for a group of access control apparatuses isinvolved, such that either the second key of the individual key pair orthe second key of the group key pair can be selected in each caseappropriately for the first checking.
 23. The access control apparatusas claimed in claim 5, wherein one of the communicated accessauthorization parameters is an identifier for the access authorizationinformation or for an access authorization proving apparatus whichcommunicates the access authorization information to the access controlapparatus, and wherein it is determined that the identifier authorizesfor access if the identifier is not contained in a rejection list storedin the access control apparatus.
 24. The access control apparatus asclaimed in claim 5, wherein the memory and the program code areconfigured to cause the access control apparatus with the at least oneprocessor to further perform and/or control: obtaining informationcommunicated to the access control apparatus and comprising at least onefourth key encrypted using at least the first key of the key pair andusable in an authentication of the access control apparatus vis-à-vis anaccess authorization proving apparatus that communicates the accessauthorization information to the access control apparatus, or in thecheck of the authenticity and/or integrity of information communicatedto the access control apparatus, and decrypting the encrypted fourth keyusing at least the second key of the key pair in order to obtain thefourth key.
 25. The access control apparatus as claimed in claim 5,wherein the memory and the program code are configured to cause theaccess control apparatus with the at least one processor to furtherperform and/or control: obtaining information communicated to the accesscontrol apparatus and comprising at least one combination— encryptedusing at least the first key of the key pair— of a fourth key and anidentifier for the access authorization information or for an accessauthorization proving apparatus that communicates the accessauthorization information to the access control apparatus, wherein thefourth key is usable in an authentication of the access controlapparatus vis-à-vis an access authorization proving apparatus thatcommunicates the access authorization information to the access controlapparatus, or in the check of the authenticity and/or integrity ofinformation communicated to the access control apparatus, and decryptingthe encrypted combination using at least the second key of the key pairin order to obtain the fourth key and the identifier, wherein theidentifier further constitutes one of the communicated accessauthorization parameters, and wherein it is determined that theidentifier contained in the communicated access authorizationinformation authorizes for access if the identifier contained in thecommunicated access authorization information corresponds to theidentifier obtained by decrypting the encrypted information, or if theidentifier contained in the communicated access authorizationinformation corresponds to the identifier obtained by decrypting theencrypted information and the identifier is not contained in a rejectionlist stored in the access control apparatus.
 26. The access controlapparatus as claimed in claim 25, wherein the access authorizationinformation communicated to the access control apparatus is stored inidentical form on at least two access authorization proving apparatuses,wherein the identical access authorization information stored on the atleast two access authorization proving apparatuses in each case has thesame identifier for the access authorization information and said accessauthorization information is associated in each case with the samefourth key.
 27. The access control apparatus as claimed in claim 26,wherein the access authorization information communicated to the accesscontrol apparatus has a limited temporal validity and/or has only alimited permissible number of access processes within its period ofvalidity and/or can be or is only communicated to the access controlapparatus by the access authorization proving apparatus if it isdetermined at the access authorization proving apparatus that there is aneed for the access to the access control apparatus.
 28. The accesscontrol apparatus as claimed in claim 24, wherein the fourth keytogether with a third key forms a symmetrical or asymmetrical key pair,and wherein the communicated access authorization information furthercomprises third check information, wherein the memory and the programcode are configured to cause the access control apparatus with the atleast one processor to further perform and/or control: second checking,using at least a challenge generated by the access control apparatus,the communicated access authorization parameters, the communicated firstcheck information, the communicated third check information and thefourth key, whether the communicated third check information wasgenerated by performing cryptographic operations on informationcorresponding to the generated challenge, the communicated accessauthorization parameters and the communicated first check information,using at least the third key, wherein a further necessary condition forgranting the access is that the second checking yields a positiveresult.
 29. The access control apparatus as claimed in claim 24, whereinthe memory and the program code are configured to cause the accesscontrol apparatus with the at least one processor to further performand/or control: authenticating vis-a-vis an access authorization provingapparatus that includes the access authorization information, using atleast the fourth key, wherein the access authorization information iscommunicated to the access control apparatus by the access authorizationproving apparatus only in the event of successful authentication. 30.The access control apparatus as claimed in claim 5, wherein the secondkey of the group key pair is stored in the access control apparatus, andwherein the second key of the key pair that is used in the firstchecking is either the second key of the individual key pair or thesecond key of the group key pair.
 31. The apparatus as claimed in claim7, wherein provision is not made for changing the second key of theindividual key pair in the access control apparatus, for erasing saidsecond key or for exchanging it for another key, but wherein it isprovided that the second key of the group key pair can be changed orerased or exchanged for another key.
 32. The apparatus as claimed inclaim 7, wherein the memory and the program code are configured to causethe apparatus with the at least one processor to further perform and/orcontrol: generating group key information comprising at least one secondkey— encrypted with the first key of the individual key pair— of a newsymmetrical or asymmetrical group key pair for the same or an at leastpartly different group of access control apparatuses from the pluralityof access control apparatuses, outputting the group key information forstorage on the access authorization proving apparatus, which isconfigured to communicate the group key information at least to theaccess control apparatus in order to enable the latter to store in theaccess control apparatus the second key of the new group key pair, whichsecond key is obtainable by decryption of the communicated encryptedsecond key of the new group key pair using at least the second key ofthe individual key pair, such that the second key of the key pair thatis used in the first checking is either the second key of the individualkey pair or the second key of the new group key pair.
 33. The apparatusas claimed in claim 7, wherein one of the access authorizationparameters is an identifier for only one access control apparatus or agroup of access control apparatuses, and wherein it is determined in theaccess control apparatus that the identifier authorizes for access ifthe identifier corresponds to an individual identifier of the accesscontrol apparatus that is stored in the access control apparatus and/ora group identifier for a group of access control apparatuses to whichthe access control apparatus belongs.
 34. The apparatus as claimed inclaim 7, wherein one of the access authorization parameters is anidentifier for the access authorization information or for the accessauthorization proving apparatus which communicates the accessauthorization information to the access control apparatus, and whereinit is determined that the identifier authorizes for access if theidentifier is not contained in a rejection list stored in the accesscontrol apparatus.
 35. The apparatus as claimed in claim 7, wherein thememory and the program code are configured to cause the apparatus withthe at least one processor to further perform and/or control: encryptinga fourth key using at least the first key of the key pair, wherein thefourth key can be used in an authentication of the access controlapparatus vis-à-vis the access authorization proving apparatus, whichcommunicates the access authorization information to the access controlapparatus, or in the checking of the authenticity and/or integrity ofinformation communicated to the access control apparatus, generatinginformation comprising at least the encrypted fourth key, and outputtingthe information for storage on the access authorization provingapparatus, which is configured to communicate the information at leastto the access control apparatus in order to enable the latter to decryptthe encrypted fourth key using at least the second key of the key pairand to use said fourth key.
 36. The apparatus as claimed in claim 7,wherein the memory and the program code are configured to cause theapparatus with the at least one processor to further perform and/orcontrol: encrypting a combination of a fourth key and an identifier forthe access authorization information or for the access authorizationproving apparatus, which communicates the access authorizationinformation to the access control apparatus, using at least the firstkey of the key pair, wherein the fourth key can be used in anauthentication of the access control apparatus vis-à-vis an accessauthorization proving apparatus, which communicates the accessauthorization information to the access control apparatus, or in thechecking of the authenticity and/or integrity of informationcommunicated to the access control apparatus, generating informationcomprising at least the encrypted combination, and outputting theinformation for storage on the access authorization proving apparatus,which is configured to communicate the information at least to theaccess control apparatus in order to enable the latter to decrypt theencrypted combination using at least the second key of the key pair, inorder to obtain the fourth key and the identifier, wherein theidentifier further constitutes one of the access authorizationparameters, and wherein it is determined in the access control apparatusthat the identifier contained in the communicated access authorizationinformation authorizes for access if the identifier contained in thecommunicated access authorization information corresponds to theidentifier obtained by decrypting the encrypted combination.
 37. Theapparatus as claimed in claim 7, wherein the memory and the program codeare configured to cause the apparatus with the at least one processor tofurther perform and/or control: encrypting a combination of a fourth keyand an identifier for the access authorization information or for theaccess authorization proving apparatus, which communicates the accessauthorization information to the access control apparatus, using atleast the first key of the key pair, wherein the fourth key can be usedin an authentication of the access control apparatus vis-à-vis an accessauthorization proving apparatus, which communicates the accessauthorization information to the access control apparatus, or in thechecking of the authenticity and/or integrity of informationcommunicated to the access control apparatus, generating informationcomprising at least the encrypted combination, and outputting theinformation for storage on the access authorization proving apparatus,which is configured to communicate the information at least to theaccess control apparatus in order to enable the latter to decrypt theencrypted combination using at least the second key of the key pair, inorder to obtain the fourth key and the identifier, wherein theidentifier further constitutes one of the access authorizationparameters, and wherein it is determined in the access control apparatusthat the identifier contained in the communicated access authorizationinformation authorizes for access if the identifier contained in thecommunicated access authorization information corresponds to theidentifier obtained by decrypting the encrypted combination and theidentifier is not contained in a rejection list stored in the accesscontrol apparatus.
 38. The apparatus as claimed in claim 7, wherein oneof the access authorization parameters indicates to what extent accessis intended to be granted.
 39. The apparatus as claimed in claim 7,wherein one of the access authorization parameters indicates to whichopenings of the access control apparatus or to which openings of anapparatus controlled by the access control apparatus access is intendedto be granted.
 40. The apparatus as claimed in claim 7, wherein thesecond key of the group key pair is stored in the access controlapparatus, and wherein the second key of the key pair that is used inthe first checking is either the second key of the individual key pairor the second key of the group key pair.
 41. The apparatus as claimed inclaim 9, wherein the access authorization information is generated by anaccess authorization generation apparatus and stored in the accessauthorization proving apparatus before the access authorization provingapparatus is issued for the first time to a user of the accessauthorization proving apparatus.
 42. The apparatus as claimed in claim9, wherein the access authorization information is generated by anaccess authorization generation apparatus and communicated to the accessauthorization proving apparatus via an at least partly wirelesscommunication link.
 43. The apparatus as claimed in claim 9, whereincommunicating information from the access authorization provingapparatus to the access control apparatus is performed wirelessly. 44.The apparatus as claimed in claim 9, wherein the memory and the programcode are configured to cause the apparatus with the at least oneprocessor to further perform and/or control: communicating group keyinformation comprising at least one second key— encrypted with the firstkey of the individual key pair— of a new symmetrical or asymmetricalgroup key pair for the same or an at least partly different group ofaccess control apparatuses from the plurality of access controlapparatuses, to the access control apparatus in order to enable thelatter to store in the access control apparatus the second key of thenew group key pair, which second key is obtainable by decryption of thecommunicated encrypted second key of the new group key pair using atleast the second key of the individual key pair, such that the secondkey of the key pair that is used in the first checking is either thesecond key of the individual key pair or the second key of the new groupkey pair.
 45. The apparatus as claimed in claim 9, wherein one of theaccess authorization parameters is an identifier for only one accesscontrol apparatus or a group of access control apparatuses, and whereinit is determined in the access control apparatus that the identifierauthorizes for access if the identifier corresponds to an individualidentifier of the access control apparatus that is stored in the accesscontrol apparatus and/or a group identifier for a group of accesscontrol apparatuses to which the access control apparatus belongs. 46.The apparatus as claimed in claim 9, wherein one of the accessauthorization parameters is an identifier for the access authorizationinformation or for the access authorization proving apparatus, andwherein it is determined that the identifier authorizes for access ifthe identifier is not contained in a rejection list stored in the accesscontrol apparatus.
 47. The apparatus as claimed in claim 9, wherein thememory and the program code are configured to cause the apparatus withthe at least one processor to further perform and/or control:communicating to the access control apparatus information comprising atleast one fourth key that is encrypted using at least the first key ofthe key pair and that can be used in an authentication of the accesscontrol apparatus vis-à-vis the access authorization proving apparatus,or in the checking of the authenticity and/or integrity of informationcommunicated to the access control apparatus, in order to enable thelatter to decrypt the encrypted fourth key using at least the second keyof the key pair and to use said fourth key.
 48. The apparatus as claimedin claim 9, wherein the memory and the program code are configured tocause the apparatus with the at least one processor to further performand/or control: communicating to the access control apparatusinformation comprising at least one combination— encrypted using atleast the first key of the key pair— of a fourth key and an identifierfor the access authorization information or for the access authorizationproving apparatus, wherein the fourth key can be used in anauthentication of the access control apparatus vis-à-vis the accessauthorization proving apparatus or in the checking of the authenticityand/or integrity of information communicated to the access controlapparatus, in order to enable the latter to decrypt the encryptedcombination using at least the second key of the key pair, in order toobtain the fourth key and the identifier, wherein the identifier furtherconstitutes one of the access authorization parameters, and wherein itis determined in the access control apparatus that the identifiercontained in the communicated access authorization informationauthorizes for access if the identifier contained in the communicatedaccess authorization information corresponds to the identifier obtainedby decrypting the encrypted combination.
 49. The apparatus as claimed inclaim 9, wherein the memory and the program code are configured to causethe apparatus with the at least one processor to further perform and/orcontrol: communicating to the access control apparatus informationcomprising at least one combination— encrypted using at least the firstkey of the key pair— of a fourth key and an identifier for the accessauthorization information or for the access authorization provingapparatus, wherein the fourth key can be used in an authentication ofthe access control apparatus vis-à-vis the access authorization provingapparatus or in the checking of the authenticity and/or integrity ofinformation communicated to the access control apparatus, in order toenable the latter to decrypt the encrypted combination using at leastthe second key of the key pair, in order to obtain the fourth key andthe identifier, wherein the identifier further constitutes one of theaccess authorization parameters, and wherein it is determined in theaccess control apparatus that the identifier contained in thecommunicated access authorization information authorizes for access ifthe identifier contained in the communicated access authorizationinformation corresponds to the identifier obtained by decrypting theencrypted combination and the identifier is not contained in a rejectionlist stored in the access control apparatus.
 50. The apparatus asclaimed in claim 9, wherein one of the access authorization parametersindicates to what extent access is intended to be granted.
 51. Theapparatus as claimed in claim 9, wherein one of the access authorizationparameters indicates to which openings of the access control apparatusor to which openings of an apparatus controlled by the access controlapparatus access is intended to be granted.
 52. The apparatus as claimedin claim 9, wherein the second key of the group key pair is stored inthe access control apparatus, and wherein the second key of the key pairthat is used in the first checking is either the second key of theindividual key pair or the second key of the group key pair.